541 개 항목 찾음
취약점

Mass Assignment: Insecure Binder Configuration

Abstract
모델 클래스의 HTTP 요청 매개 변수 바인딩에 사용되는 프레임워크 바인더는 특정 속성을 허용하거나 허용하지 않도록 명백하게 구성되어 있지 않습니다.
Explanation
개발을 쉽게 하고 생산성을 증가할 수 있도록, 대부분의 현대적 프레임워크에서는 개체가 바인딩할 클래스 속성과 이름이 일치하는 HTTP 요청 매개 변수로 자동 인스턴스화되고 채워질수 있도록 합니다. 개체의 자동 인스턴스화 및 채우기는 개발 속도를 높이지만 아무런 주의 없이 구현되는 경우 심각한 문제가 발생할 수 있습니다. 바운드 클래스 또는 중첩된 클래스의 모든 속성은 HTTP 요청 매개 변수로 자동 바인딩됩니다. 따라서 악의적인 사용자는 웹 폼 또는 API 계약을 통해 클라이언트에 노출되지 않더라도 바운드 또는 중첩된 클래스에 있는 모든 속성에 값을 할당할 수 있습니다.

예제 1: 추가 구성 없이 다음 ASP.NET MVC 컨트롤러 메서드는 RegisterModel 또는Details 클래스에서 모든 속성으로 HTTP 요청 매개 변수를 바인딩합니다.


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}
RegisterModel 클래스는 다음과 같이 정의됩니다.


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}
Details 클래스는 다음과 같이 정의됩니다.


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}
예제 2: ASP.NET MVC 또는 Web API 응용 프로그램에서 TryUpdateModel() 또는UpdateModel()을 사용하는 경우 모델 바인더는 기본적으로 모든 HTTP 요청 매개 변수를 자동 바인딩하려고 합니다.


public ViewResult Register()
{
    var model = new RegisterModel();
    TryUpdateModel<RegisterModel>(model);
    return View("detail", model);
}
예제 3: ASP.NET Web Form 응용 프로그램에서 모델 바인더는 IValueProvider 인터페이스로 TryUpdateModel() 또는UpdateModel()을 사용하는 경우 모든 HTTP 요청 매개 변수를 자동으로 바인딩하려고 시도합니다.

Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext)); 
if (ModelState.IsValid)
{
    db.SaveChanges();
}
Employee 클래스는 다음과 같이 정의됩니다.


 public class Employee
    {
        public Employee()
        {
            IsAdmin = false;
            IsManager = false;
        }
        public string Name { get; set; }
        public string Email { get; set; }
        public bool IsManager { get; set; }
        public bool IsAdmin { get; set; }
    }
References
[1] OWASP Mass assignment
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.dotnet.mass_assignment_insecure_binder_configuration
Abstract
HTTP 요청 매개 변수를 모델 클래스에 바인딩하는 데 사용되는 프레임워크 바인더가 특정 속성을 허용하거나, 허용하지 않도록 명시적으로 구성되지 않았습니다.
Explanation
개발을 용이하게 하고 생산성을 높이기 위해 대부분의 최신 프레임워크에서는 바인딩할 클래스의 속성과 이름이 일치하는 HTTP 요청 매개 변수로 개체를 자동으로 인스턴스화하고 채울 수 있습니다. 자동 인스턴스화 및 개체 채우기는 개발 속도를 높이지만 주의 없이 구현하면 심각한 문제가 발생할 수 있습니다. 바인딩된 클래스 또는 중첩된 클래스의 모든 속성은 HTTP 요청 매개 변수에 자동으로 바인딩됩니다. 따라서 악의적인 사용자는 웹 양식이나 API 계약을 통해 클라이언트에 노출되지 않는 경우에도 바인딩되거나 중첩된 클래스의 모든 속성에 값을 할당할 수 있습니다.

예제 1: Spring WebFlow를 추가 구성 없이 사용하는 다음 작업은 HTTP 요청 매개 변수를 Booking 클래스의 모든 속성에 바인딩합니다.


    <view-state id="enterBookingDetails" model="booking">
		<on-render>
			<render fragments="body" />
		</on-render>
        <transition on="proceed" to="reviewBooking">
        </transition>
		<transition on="cancel" to="cancel" bind="false" />
	</view-state>


여기서 Booking 클래스는 다음으로 정의됩니다.


public class Booking implements Serializable {
	private Long id;
	private User user;
	private Hotel hotel;
	private Date checkinDate;
	private Date checkoutDate;
	private String creditCard;
	private String creditCardName;
	private int creditCardExpiryMonth;
	private int creditCardExpiryYear;
	private boolean smoking;
	private int beds;
	private Set<Amenity> amenities;

   // Public Getters and Setters
   ...
}
References
[1] OWASP Mass assignment
[2] Pivotal Spring MVC Known Vulnerabilities and Issues
[3] Standards Mapping - Common Weakness Enumeration CWE ID 915
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.config.java.mass_assignment_insecure_binder_configuration

Mass Assignment: Request Parameters Bound into Persisted Objects

Abstract
요청 매개 변수로 자동 입력되도록 데이터베이스의 지속적인 엔터티를 허용하면 공격자가 연결 엔터티에 의도하지 않은 기록을 작성하거나 엔터티 개체의 의도하지 않은 필드를 업데이트할 수 있습니다.
Explanation
모델 개체는 데이터베이스 엔터티의 개체 지향적인 표현입니다. convenience 메서드가 제공되어 관련 데이터베이스 엔터티가 로드, 저장, 업데이트 및 삭제됩니다.
Hibernate, Microsoft .NET Entity 프레임워크 및 LINQ는 데이터베이스 지원 모델 개체를 빌드할 수 있는 ORM(Object Relational Mapping) 프레임워크의 예입니다.

많은 웹 프레임워크가 공용 getter 및 setter 메서드 일치에 기반을 둔 모델 개체 속성 이름과 요청 매개 변수 이름이 일치하는지에 따라 요청 범위 개체로 요청 매개 변수를 바인딩하기 위한 메커니즘을 제공하여 개발자의 수고를 덜어 줍니다.

응용 프로그램이 ORM 클래스를 요청 범위 개체로 사용할 경우, 요청 매개 변수가 해당 모델 개체의 필드 및 중첩된 개체 속성 필드를 수정할 가능성이 높습니다.

예제 1:Order, CustomerProfile은 Microsoft .NET Entity 지속형 클래스입니다.

public class Order {
	public string ordered { get; set; }
	public List<LineItem> LineItems { get; set; }
	pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
	public int CustomerId { get; set; }
	...
	public virtual Profile Profile { get; set; }
...
}
public class Profile {
	public int profileId { get; set; }
	public string username { get; set; }
	public string password { get; set; }
	...
}
OrderController는 요청을 처리하는 ASP.NET MVC 컨트롤러 클래스입니다.


public class OrderController : Controller{
	StoreEntities db = new StoreEntities();
...

	public String updateOrder(Order order) {
		...
		db.Orders.Add(order);
		db.SaveChanges();
	}
}

모델 엔터티 클래스가 자동으로 요청에 바인딩되므로 공격자는 요청 매개 변수 "http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"를 요청에 추가하여 다른 사용자의 암호를 업데이트하는 데 이 취약점을 사용할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 915
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.dotnet.mass_assignment_request_parameters_bound_into_persisted_objects
Abstract
요청 매개 변수로 자동 입력되도록 데이터베이스의 지속적인 엔터티를 허용하면 공격자가 연결 엔터티에 의도하지 않은 기록을 작성하거나 엔터티 개체의 의도하지 않은 필드를 업데이트할 수 있습니다.
Explanation
지속적인 개체는 기본 데이터베이스에 바인딩되고 Hibernate 또는 JPA와 같은 지속성 프레임워크에 의해 자동 업데이트됩니다. 이러한 개체가 Spring MVC에 의해 요청에 동적으로 바인딩되도록 하면 공격자가 추가 요청 매개 변수를 제공하여 데이터베이스에 예기치 못한 값을 삽입할 수 있습니다.
예제 1:Order, CustomerProfile은 Hibernate 지속형 클래스입니다.

public class Order {
	String ordered;
	List lineItems;
	Customer cust;
...
}
public class Customer {
	String customerId;
	...
    Profile p;
...
}
public class Profile {
	String profileId;
	String username;
	String password;
	...
}
OrderController는 요청을 처리하는 Spring 컨트롤러 클래스입니다.

@Controller
public class OrderController {
...
	@RequestMapping("/updateOrder")
	public String updateOrder(Order order) {
		...
		session.save(order);
	}
}

명령 클래스는 요청으로 자동 바인딩되므로 공격자는 요청 매개 변수 "http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"를 요청에 추가하여 다른 사용자의 암호를 업데이트하는 데 이 취약점을 사용할 수 있습니다.
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.java.mass_assignment_request_parameters_bound_into_persisted_objects

Mass Assignment: Sensitive Field Exposure

Abstract
민감한 필드는 모델 바인더에 노출됩니다.
Explanation
쉬운 개발과 생산성 증가를 위해 개발자는 현대적인 프레임워크를 통해 요청 쿼리와 본문 모두에서 모델 개체로 HTTP 요청 매개 변수를 자동으로 바인딩할 수 있습니다. HTTP 요청 매개 변수가 모델 속성에 바인딩되는 것을 제어하도록 바인더가 올바르게 구성되어 있지 않은 경우 공격자는 모델 바인딩 절차를 남용하고 사용자 제어에 노출되면 안 되는 다른 속성을 설정할 수도 있습니다. 이 바인딩은 모델 속성이 웹 형식 또는 API 계약에 표시되어 있지 않더라도 가능합니다.

예제 1: 다음 ASP.NET MVC 컨트롤러 메서드(Register)는 이름 및 암호를 제공하여 계정을 등록하도록 사용자에게 묻는 웹 폼에서 액세스됩니다.


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}
RegisterModel 클래스는 다음과 같이 정의됩니다.


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}
Details 클래스는 다음과 같이 정의됩니다.


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}
Example 1에 제공된 시나리오와 같이 공격자는 응용 프로그램을 탐색하고 RegisterModel 모델에 Details 속성이 있는지 발견할 수 있습니다. 이러한 경우 공격자는 속성에 할당된 현재 값을 덮어쓰려 할 수도 있습니다.
공격자가 이러한 내부 속성을 발견하고 이러한 속성의 바인딩을 허용하지 않도록 프레임워크 바인더가 올바르게 구성되어 있지 않은 경우 공격자는 다음 요청을 보내 관리자 계정을 등록할 수 있습니다.


name=John&password=****&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.dotnet.mass_assignment_sensitive_field_exposure
Abstract
민감한 필드가 모델 바인더에 노출됩니다.
Explanation
최신 프레임워크를 사용하면 요청 쿼리와 본문의 HTTP 요청 매개 변수를 모델 개체로 자동으로 바인딩하여 개발 작업을 용이하게 하고 생산성을 개선할 수 있습니다. HTTP 요청 매개 변수가 모델 속성에 바인딩되는 것을 제어하도록 바인더가 올바르게 구성되어 있지 않은 경우 공격자는 모델 바인딩 절차를 남용하고 사용자 제어에 노출되면 안 되는 다른 속성을 설정할 수도 있습니다. 이 바인딩은 모델 속성이 웹 형식 또는 API 계약에 표시되어 있지 않더라도 가능합니다.

예제 1: 다음 Struts 1 DynaActionForm은 사용자 요청에 바인딩되는 ActionForm을 동적으로 정의합니다. 이 경우 이 양식은 계정 유형과 사용자 세부 정보를 제공하여 계정을 등록하는 데 사용됩니다.


<struts-config>
  <form-beans>
       <form-bean name="dynaUserForm"
          type="org.apache.struts.action.DynaActionForm" >
              <form-property name="type" type="java.lang.String" />
              <form-property name="user" type="com.acme.common.User" />
       </form-bean>
       ...



등록에 성공하면 사용자 데이터가 데이터베이스에 유지됩니다. User 클래스는 다음으로 정의됩니다.


public class User {
  private String name;
  private String lastname;
  private int age;
  private Details details;

  // Public Getters and Setters
  ...
}
Details 클래스는 다음으로 정의됩니다.


public class Details {
  private boolean is_admin;
  private int id;
  private Date login_date;

  // Public Getters and Setters
  ...
}
Example 1에 제공된 시나리오와 같이 공격자는 응용 프로그램을 탐색하고 User 모델에 details 속성이 있는지 발견할 수 있습니다. 이러한 경우 공격자는 속성에 할당된 현재 값을 덮어쓰려 할 수도 있습니다.
공격자가 이러한 내부 속성을 찾을 수 있고 이러한 속성의 바인딩을 허용하지 않도록 프레임워크 바인더가 올바르게 구성되지 않은 경우 공격자는 다음 요청을 전송하여 관리자 계정을 등록할 수 있습니다.


type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Spring Spring MVC Known Vulnerabilities and Issues
[3] Standards Mapping - Common Weakness Enumeration CWE ID 915
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.config.java.mass_assignment_sensitive_field_exposure

Missing Check against Null

Abstract
프로그램이 null을 반환하는 함수의 반환 값을 확인하지 않으므로 null 포인터를 역참조할 수도 있습니다.
Explanation
소프트웨어에 대한 대부분의 심각한 공격은 프로그래머의 가정 위반에서 비롯됩니다. 공격 후, 프로그래머의 가정은 취약하고 근거가 빈약해 보이지만 공격 전에는 많은 프로그래머가 열심히 자신의 가정을 옹호하게 마련입니다.

코드에서 흔히 발견되는 두 가지 의심스런 가정은 "이 함수 호출은 절대 실패하지 않는다" 및 "이 함수 호출이 실패해도 상관 없다"입니다. 프로그래머가 함수의 반환 값을 무시하는 경우 암시적으로 이 가정 중 하나에 따라 동작하는 것으로 볼 수 있습니다.
예제 1: 다음 코드는 멤버 함수 Equals()를 호출하기 전에 Item 속성이 반환한 문자열이 null인지 검사하지 않기 때문에 null dereference가 발생할 수 있습니다.


string itemName = request.Item(ITEM_NAME);
	if (itemName.Equals(IMPORTANT_ITEM)) {
		...
	}
	...


이 코딩 오류에 대한 전형적인 변명은 이렇습니다.

“요청한 값이 항상 존재한다는 것을 알고 있습니다. 왜냐하면... 값이 존재하지 않는 경우, 프로그램이 필요한 동작을 수행할 수 없기 때문에 오류 처리 여부가 중요하지 않거나 프로그램이 null 값을 역참조하다가 중지해도 상관 없습니다.”

하지만 공격자는 프로그램에서 예기치 못한 경로를 찾아내는 데 능숙하며 예외와 관련이 있는 경우가 대표적인 예입니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 253, CWE ID 690
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[39] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.missing_check_against_null
Abstract
프로그램이 null을 반환하는 함수의 반환 값을 확인하지 않으므로 null 포인터를 역참조할 수도 있습니다.
Explanation
소프트웨어에 대한 대부분의 심각한 공격은 프로그래머의 가정 위반에서 비롯됩니다. 공격 후, 프로그래머의 가정은 취약하고 근거가 빈약해 보이지만 공격 전에는 많은 프로그래머가 열심히 자신의 가정을 옹호하게 마련입니다.

코드에서 흔히 발견되는 두 가지 의심스런 가정은 "이 함수 호출은 절대 실패하지 않는다" 및 "이 함수 호출이 실패해도 상관 없다"입니다. 프로그래머가 함수의 반환 값을 무시하는 경우 암시적으로 이 가정 중 하나에 따라 동작하는 것으로 볼 수 있습니다.
예제 1: 다음 코드는 malloc()이 반환하는 포인터를 사용하기 전에 메모리 할당이 성공했는지 확인하지 않습니다.


    buf = (char*) malloc(req_size);
    strncpy(buf, xfer, req_size);


이 코딩 오류에 대한 전형적인 변명은 이렇습니다.

“내 프로그램은 메모리가 부족하면 중단됩니다. NULL 포인터를 역참조하려고 할 때 프로그램이 조각화 오류로 중단되도록 내버려두든 오류를 처리하든 중요하지 않습니다.”

이 주장은 다음과 같은 세 가지 중요한 고려 사항을 무시하고 있습니다.

- 응용 프로그램의 종류와 크기에 따라 다른 곳에서 사용 중인 메모리를 해제하여 프로그램 실행을 계속할 수 있습니다.

- 프로그램에서 필요에 따라 정상 종료를 수행하는 것은 불가능합니다. 프로그램에서 최소 단위 작업을 수행하는 경우 시스템이 불일치 상태가 될 수 있습니다.

- 프로그래머가 진단 정보를 기록할 기회를 상실합니다. req_size가 너무 크거나 동시에 처리해야 할 요청이 너무 많아서 malloc() 호출이 실패했습니까? 또는 시간이 흐르면서 누적된 memory leak 때문에 발생했습니까? 오류를 처리하지 않고는 알 방법이 없습니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 253, CWE ID 690
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.missing_check_against_null
Abstract
프로그램이 null을 반환하는 함수의 반환 값을 확인하지 않으므로 null 포인터를 역참조할 수도 있습니다.
Explanation
소프트웨어에 대한 대부분의 심각한 공격은 프로그래머의 가정 위반에서 비롯됩니다. 공격 후, 프로그래머의 가정은 취약하고 근거가 빈약해 보이지만 공격 전에는 많은 프로그래머가 열심히 자신의 가정을 옹호하게 마련입니다.

코드에서 흔히 발견되는 두 가지 의심스런 가정은 "이 함수 호출은 절대 실패하지 않는다" 및 "이 함수 호출이 실패해도 상관 없다"입니다. 프로그래머가 함수의 반환 값을 무시하는 경우 암시적으로 이 가정 중 하나에 따라 동작하는 것으로 볼 수 있습니다.

예제 1: 다음 코드는 멤버 함수 compareTo()를 호출하기 전에 getParameter()가 반환한 문자열이 null인지 검사하지 않기 때문에 null dereference가 발생할 수 있습니다.


String itemName = request.getParameter(ITEM_NAME);
	if (itemName.compareTo(IMPORTANT_ITEM)) {
		...
	}
	...
예제 2: 다음 코드는 null로 설정되면 해당 속성이 항상 정의된다는 잘못된 가정을 하는 프로그래머가 역참조하는 시스템 속성을 보여줍니다.


System.clearProperty("os.name");
...
String os = System.getProperty("os.name");
if (os.equalsIgnoreCase("Windows 95") )
	System.out.println("Not supported");


이 코딩 오류에 대한 전형적인 변명은 이렇습니다.

“요청한 값이 항상 존재한다는 것을 알고 있습니다. 왜냐하면... 값이 존재하지 않는 경우, 프로그램이 필요한 동작을 수행할 수 없기 때문에 오류 처리 여부가 중요하지 않거나 프로그램이 null 값을 역참조하다가 중지해도 상관 없습니다.”

하지만 공격자는 프로그램에서 예기치 못한 경로를 찾아내는 데 능숙하며 예외와 관련이 있는 경우가 대표적인 예입니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 253, CWE ID 690
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[39] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.missing_check_against_null

Missing Check for Null Parameter

Abstract
이 함수는 해당 매개 변수와 null을 비교해야 하는 약정을 위반합니다.
Explanation
Java 표준에 따르면 해당 매개 변수가 null인 경우 Object.equals(), Comparable.compareTo()Comparator.compare()의 구현은 지정된 값을 반환해야 합니다. 이 약정을 따르지 않으면 예기치 못한 동작이 발생할 수 있습니다.

예제 1: 다음 equals() 메서드의 구현은 해당 매개 변수와 null을 비교하지 않습니다.


public boolean equals(Object object)
{
   return (toString().equals(object.toString()));
}
References
[1] MET10-J. Follow the general contract when implementing the compareTo() method CERT
[2] MET08-J. Preserve the equality contract when overriding the equals() method CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 684
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
desc.controlflow.java.missing_check_for_null_parameter

Missing Form Field Validation

Abstract
이 응용 프로그램은 양식 데이터에 대한 검증을 수행하지 않습니다.
Explanation
이 응용 프로그램은 웹 양식에서 받은 데이터 유형을 검증하지 않습니다. 수신 데이터가 예상 데이터에 대해 정의된 요구 사항을 충족하는지 확인하는 것이 좋습니다.

예제 1: 다음 코드는 예상 데이터의 요구 사항을 기준으로 데이터를 검증하지 않는 Spring WebFlow FormAction을 정의합니다.


    <bean id="customerCriteriaAction" class="org.springframework.webflow.action.FormAction">
        <property name="formObjectClass"
            value="com.acme.domain.CustomerCriteria" />
        <property name="propertyEditorRegistrar">
            <bean
                class="com.acme.web.PropertyEditors" />
        </property>
    </bean>
예제 2: 다음 코드는 예상된 요구 사항을 기준으로 데이터를 검증하지 않는 Spring WebFlow 작업 상태를 정의합니다.


    <action-state>
        <action bean="transferMoneyAction" method="bind" />
    </action-state>
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 108
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.missing_form_field_validation
Abstract
이 응용 프로그램은 폼 데이터에 대한 검증을 수행하지 않습니다.
Explanation
이 응용 프로그램은 웹 폼에서 수신된 데이터의 형식을 검증하지 못합니다. 수신된 데이터가 예상되는 데이터에 대해 정의된 요구 사항을 충족하는지 검증하는 것이 좋습니다.


예제 1: 다음 코드는 폼을 정의하지만 예상되는 요구 사항을 기준으로 데이터를 검증하지 못합니다. 


  def form = Form(
    mapping(
      "name" -> text,
      "age" -> number
    )(UserData.apply)(UserData.unapply)
  )
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 108
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.scala.missing_form_field_validation

Missing SecurityManager Check: Cloneable

Abstract
구성자에서 이 검사를 수행하는 cloneable 클래스는 해당 clone() 메서드에서 동일한 검사를 수행해야 합니다.
Explanation
클래스의 clone() 메서드가 호출될 때 복제될 클래스에 대한 구성자는 호출되지 않습니다. 따라서, SecurityManager 또는 AccessController 검사가 cloneable 클래스의 구성자에 존재하는 경우, 동일한 검사가 클래스의 clone 메서드에도 존재해야 합니다. 그렇지 않으면, 클래스가 복제될 때 보안 검사가 무시됩니다.

예제 1: 다음 코드에는 clone() 메서드가 아니라 구성자의 SecurityManager 검사가 포함되어 있습니다.

public class BadSecurityCheck implements Cloneable {

private int id;

public BadSecurityCheck() {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new BadPermission("BadSecurityCheck"));
    }
    id = 1;
}

public Object clone() throws CloneNotSupportedException {
    BadSecurityCheck bsm = (BadSecurityCheck)super.clone();
    return null;
}
}
References
[1] "Secure Coding Guidelines for the Java Programming Language, version 2.0" Sun Microsystems, Inc. [Online]. [Accessed: Aug. 30, 2007]. Sun Microsystems, Inc.
[2] C. Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code
[3] Standards Mapping - Common Weakness Enumeration CWE ID 358
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality
[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[26] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.missing_securitymanager_check_cloneable

Missing SecurityManager Check: Serializable

Abstract
구성자에서 SecurityManager 검사를 수행하는 serializable 클래스는 readObject()readObjectNoData 메서드에서 동일한 검사를 수행해야 합니다.
Explanation
serializable 클래스의 readObject() 메서드가 호출될 때 역직렬화될 클래스에 대한 구성자는 호출되지 않습니다. 따라서, SecurityManager 검사가 serializable 클래스의 구성자에 존재하는 경우, 동일한 SecurityManager 검사가 readObject()readObjectNoData() 메서드에도 존재해야 합니다. 그렇지 않으면, 클래스가 역직렬화될 때 보안 검사가 무시됩니다.

예제 1: 다음 코드에는 readObject()readObjectNoData() 메서드가 아니라 구성자의 SecurityManager 검사가 포함됩니다.

public class BadSecurityCheck implements Serializable {

private int id;

public BadSecurityCheck() {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new BadPermission("BadSecurityCheck"));
    }
    id = 1;
}

public void readObject(ObjectInputStream in) throws ClassNotFoundException, IOException {
    in.defaultReadObject();
}

public void readObjectNoData(ObjectInputStream in) throws ClassNotFoundException, IOException {
    in.defaultReadObject();
}
}
References
[1] "Secure Coding Guidelines for the Java Programming Language, version 2.0" Sun Microsystems, Inc. [Online]. [Accessed: Aug. 30, 2007]. Sun Microsystems, Inc.
[2] C. Lai Java Insecurity: Accounting for Subtleties That Can Compromise Code
[3] SERIAL-4: Duplicate the SecurityManager checks enforced in a class during serialization and deserialization Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 358
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001764, CCI-001774, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-7 Least Functionality (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-7 Least Functionality
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001480 CAT II, APSC-DV-001490 CAT II
[28] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.missing_securitymanager_check_serializable

Missing XML Validation

Abstract
XML 구문 분석에서 검증하지 못하면 공격자에게 악의적인 입력을 제공할 기회를 주게 됩니다.
Explanation
프로그래머의 가정 위반으로 인해 공격이 성공하는 경우가 많습니다. 프로그래머가 XML 문서를 DTD 또는 XML 스키마와 대조하여 확인하지 않고 받으면 공격자가 엉뚱하거나 잘못되거나 악성 입력을 제공하도록 문을 열어주는 셈입니다. XML 파서가 문서 내용의 모든 측면을 확인하는 것은 불가능합니다. 파서가 데이터의 완전한 의미를 이해할 수 없기 때문입니다. 하지만 파서는 문서의 구조를 완벽하고 철저하게 검사할 수 있으므로 문서를 처리하는 코드에 문서의 내용이 올바른 형식이라는 것을 보장합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 112
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[13] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.abap.missing_xml_validation
Abstract
XML 구문 분석에서 검증을 하지 못하면 공격자에게 악의적인 입력을 제공할 기회를 주게 됩니다.
Explanation
프로그래머의 가정 위반으로 인해 공격이 성공하는 경우가 많습니다. 프로그래머가 XML 문서를 DTD 또는 XML 스키마와 대조하여 확인하지 않고 받으면 공격자가 엉뚱하거나 잘못되거나 악성 입력을 제공하도록 문을 열어주는 셈입니다. XML 파서가 문서 내용의 모든 측면을 확인하는 것은 불가능합니다. 파서가 데이터의 완전한 의미를 이해할 수 없기 때문입니다. 하지만 파서는 문서의 구조를 완벽하고 철저하게 검사할 수 있으므로 문서를 처리하는 코드에 문서의 내용이 올바른 형식이라는 것을 보장합니다.
References
[1] XmlReader Class Microsoft
[2] XmlReaderSettings Class Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 112
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[20] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[21] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[22] Standards Mapping - OWASP Top 10 2010 A1 Injection
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.dotnet.missing_xml_validation
Abstract
XML 구문 분석에서 검증을 하지 못하면 공격자에게 악의적인 입력을 제공할 기회를 주게 됩니다.
Explanation
프로그래머의 가정 위반으로 인해 공격이 성공하는 경우가 많습니다. 프로그래머가 XML 문서를 DTD 또는 XML 스키마와 대조하여 확인하지 않고 받으면 공격자가 엉뚱하거나 잘못되거나 악성 입력을 제공하도록 문을 열어주는 셈입니다. XML 파서가 문서 내용의 모든 측면을 확인하는 것은 불가능합니다. 파서가 데이터의 완전한 의미를 이해할 수 없기 때문입니다. 하지만 파서는 문서의 구조를 완벽하고 철저하게 검사할 수 있으므로 문서를 처리하는 코드에 문서의 내용이 올바른 형식이라는 것을 보장합니다.
References
[1] Xerces parser features The Apache Foundation
[2] XML Validation in J2SE 1.5 Sun Microsystems
[3] Axis User's Guide Apache Software Foundation
[4] IDS16-J. Prevent XML Injection CERT
[5] IDS17-J. Prevent XML External Entity Attacks CERT
[6] INJECT-3: XML and HTML generation requires care Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 112
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[13] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[25] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2010 A1 Injection
[27] Standards Mapping - OWASP Top 10 2013 A1 Injection
[28] Standards Mapping - OWASP Top 10 2017 A1 Injection
[29] Standards Mapping - OWASP Top 10 2021 A03 Injection
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.java.missing_xml_validation

Missing XML Validation: Untyped Response

Abstract
XML 구문 분석에서 검증을 하지 못하면 공격자에게 악의적인 입력을 제공할 기회를 주게 됩니다.
Explanation
프로그래머의 가정 위반으로 인해 공격이 성공하는 경우가 많습니다. 프로그래머가 XML 문서를 DTD 또는 XML 스키마와 대조하여 확인하지 않고 받으면 공격자가 엉뚱하거나 잘못되거나 악성 입력을 제공하도록 문을 열어주는 셈입니다. XML 파서가 문서 내용의 모든 측면을 확인하는 것은 불가능합니다. 파서가 데이터의 완전한 의미를 이해할 수 없기 때문입니다. 하지만 파서는 문서의 구조를 완벽하고 철저하게 검사할 수 있으므로 문서를 처리하는 코드에 문서의 내용이 올바른 형식이라는 것을 보장합니다.
References
[1] Xerces parser features The Apache Foundation
[2] XML Validation in J2SE 1.5 Sun Microsystems
[3] Axis User's Guide Apache Software Foundation
[4] IDS16-J. Prevent XML Injection CERT
[5] IDS17-J. Prevent XML External Entity Attacks CERT
[6] INJECT-3: XML and HTML generation requires care Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 112
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[13] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[25] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2010 A1 Injection
[27] Standards Mapping - OWASP Top 10 2013 A1 Injection
[28] Standards Mapping - OWASP Top 10 2017 A1 Injection
[29] Standards Mapping - OWASP Top 10 2021 A03 Injection
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.java.missing_xml_validation_untyped_response

NoSQL Injection: DynamoDB

Abstract
신뢰할 수 없는 소스에서 나온 입력을 사용하여 동적 DynamoDB 쿼리를 생성하면 공격자가 해당 문의 의미를 수정할 수 있습니다.
Explanation
DynamoDB의 NoSQL Injection 취약점이 발생하는 경우는 다음과 같습니다.

1. 신뢰할 수 없는 소스의 데이터가 프로그램에 입력됩니다.



2. 데이터를 사용하여 DynamoDB 쿼리를 동적으로 생성합니다.

예제 1: 다음 코드는 암호와 함께 전자 메일 주소 또는 사용자 이름이 지정된 사용자를 검색하는 DynamoDB 쿼리를 동적으로 생성하고 실행합니다.


    ...
        // "type" parameter expected to be either: "Email" or "Username"
        string type = request["type"];
        string value = request["value"];
        string password = request["password"];
        
        var ddb = new AmazonDynamoDBClient();
    
        var attrValues = new Dictionary<string,AttributeValue>();
        attrValues[":value"] = new AttributeValue(value);
        attrValues[":password"] = new AttributeValue(password);
    
        var scanRequest = new ScanRequest();
        scanRequest.FilterExpression = type + " = :value AND Password = :password";
        scanRequest.TableName = "users";
        scanRequest.ExpressionAttributeValues = attrValues;
    
        var scanResponse = await ddb.ScanAsync(scanRequest);
    ...


이 쿼리는 다음 코드를 실행하려고 합니다.

Email = :value AND Password = :password


또는 

Username = :value AND Password = :password


하지만 상수인 기본 쿼리 문자열과 사용자 입력 문자열을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 type에 예상 값만 포함된 경우에만 정확하게 동작합니다. 공격자가 :value = :value OR :value 같은 입력 값을 제공하면 쿼리는 다음과 같습니다.

:value = :value OR :value = :value AND Password = :password
:value = :value 조건을 추가하면 where 절이 항상 true로 평가되므로 쿼리는 전자 메일 소유자와 관계없이 users 컬렉션에 저장된 모든 항목을 반환합니다.
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.dotnet.nosql_injection_dynamodb
Abstract
신뢰할 수 없는 소스에서 나온 입력을 사용하여 동적 DynamoDB 쿼리를 생성하면 공격자가 해당 문의 의미를 수정할 수 있습니다.
Explanation
DynamoDB의 NoSQL Injection 취약점이 발생하는 경우는 다음과 같습니다.

1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.



2. 데이터를 사용하여 DynamoDB 쿼리를 동적으로 생성합니다.

예제 1: 다음 코드는 암호와 함께 전자 메일 주소 또는 사용자 이름이 지정된 사용자를 검색하는 DynamoDB 쿼리를 동적으로 생성하고 실행합니다.


...
    // "type" parameter expected to be either: "Email" or "Username"
    String type = request.getParameter("type")
    String value = request.getParameter("value")
    String password = request.getParameter("password")
    
    DynamoDbClient ddb = DynamoDbClient.create();

    HashMap<String, AttributeValue> attrValues = new HashMap<String,AttributeValue>();
    attrValues.put(":value", AttributeValue.builder().s(value).build());
    attrValues.put(":password", AttributeValue.builder().s(password).build());

    ScanRequest queryReq = ScanRequest.builder()
        .filterExpression(type + " = :value AND Password = :password")
        .tableName("users")
        .expressionAttributeValues(attrValues)
        .build();

    ScanResponse response = ddb.scan(queryReq);
...


이 쿼리는 다음 코드를 실행하려고 합니다.

Email = :value AND Password = :password


또는 

Username = :value AND Password = :password


하지만 상수인 기본 쿼리 문자열과 사용자 입력 문자열을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 type에 예상 값만 포함된 경우에만 정확하게 동작합니다. 공격자가 :value = :value OR :value 같은 입력 값을 제공하면 쿼리는 다음과 같습니다.

:value = :value OR :value = :value AND Password = :password
:value = :value 조건을 추가하면 where 절이 항상 true로 평가되므로 쿼리는 전자 메일 소유자와 관계없이 users 컬렉션에 저장된 모든 항목을 반환합니다.
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.java.nosql_injection_dynamodb

NoSQL Injection: MongoDB

Abstract
신뢰할 수 없는 소스에서 나온 입력을 사용하여 동적 MongoDB 쿼리를 생성하면 공격자가 해당 문의 의미를 수정할 수 있습니다.
Explanation
MongoDB의 NoSQL Injection 오류가 발생하는 경우는 다음과 같습니다.

1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.



2. 데이터를 사용하여 MongoDB 쿼리를 동적으로 생성합니다.

예제 1: 다음 코드는 특정 ID의 전자 메일을 검색하는 MongoDB 쿼리를 동적으로 생성하고 실행합니다.


...
    String userName = User.Identity.Name;
    String emailId = request["emailId"];
    var coll = mongoClient.GetDatabase("MyDB").GetCollection<BsonDocument>("emails");
    var docs = coll.Find(new BsonDocument("$where", "this.name == '" + name + "'")).ToList();
...


쿼리는 다음 코드를 실행하려고 합니다.


    this.owner == "<userName>" && this.emailId == "<emailId>"


하지만 상수 쿼리 문자열과 사용자 입력을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 emailId에 작은따옴표가 들어 있지 않은 경우에만 정확하게 동작합니다. 사용자 이름이 wiley인 공격자가 emailId에 문자열 123' || '4' != '5를 입력하면 쿼리는 다음과 같이 생성됩니다.


    this.owner == 'wiley' && this.emailId == '123' || '4' != '5'
|| '4' != '5' 조건을 추가하면 where 절이 항상 true로 평가되므로 쿼리는 전자 메일 소유자와 관계없이 emails 컬렉션에 저장된 모든 항목을 반환합니다.
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.dotnet.nosql_injection_mongodb
Abstract
신뢰할 수 없는 소스에서 나온 입력을 사용하여 동적 MongoDB 쿼리를 생성하면 공격자가 해당 문의 의미를 수정할 수 있습니다.
Explanation
MongoDB의 NoSQL Injection 오류가 발생하는 경우는 다음과 같습니다.

1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.



2. 데이터를 사용하여 MongoDB 쿼리를 동적으로 생성합니다.

예제 1: 다음 코드는 특정 ID의 전자 메일을 검색하는 MongoDB 쿼리를 동적으로 생성하고 실행합니다.


...
    String userName = ctx.getAuthenticatedUserName();
    String emailId = request.getParameter("emailId")
    MongoCollection<Document> col = mongoClient.getDatabase("MyDB").getCollection("emails");
    BasicDBObject Query = new BasicDBObject();
    Query.put("$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\"");
    FindIterable<Document> find= col.find(Query);
...


쿼리는 다음 코드를 실행하려고 합니다.


    this.owner == "<userName>" && this.emailId == "<emailId>"


하지만 상수인 기본 쿼리 문자열과 사용자 입력 문자열을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 emailId에 큰따옴표가 들어 있지 않은 경우에만 정확하게 동작합니다. 사용자 이름이 wiley인 공격자가 emailId에 문자열 123" || "4" != "5를 입력하면 쿼리는 다음과 같이 생성됩니다.


    this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5" 조건을 추가하면 where 절이 항상 true로 평가되므로 쿼리는 전자 메일 소유자와 관계없이 emails 컬렉션에 저장된 모든 항목을 반환합니다.
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.java.nosql_injection_mongodb
Abstract
신뢰할 수 없는 소스에서 나온 입력을 사용하여 동적 MongoDB 쿼리를 생성하면 공격자가 해당 문의 의미를 수정할 수 있습니다.
Explanation
MongoDB의 NoSQL Injection 오류가 발생하는 경우는 다음과 같습니다.

1. 신뢰할 수 없는 소스에서 데이터가 프로그램에 입력됩니다.



2. 데이터를 사용하여 MongoDB 쿼리를 동적으로 생성합니다.

예제 1: 다음 코드는 특정 ID의 전자 메일을 검색하는 MongoDB 쿼리를 동적으로 생성하고 실행합니다.


...
    userName = req.field('userName')
    emailId = req.field('emaiId')
    results = db.emails.find({"$where", "this.owner == \"" + userName + "\" && this.emailId == \"" + emailId + "\""});
...


쿼리는 다음 코드를 실행하려고 합니다.


    this.owner == "<userName>" && this.emailId == "<emailId>"


하지만 상수인 기본 쿼리 문자열과 사용자 입력 문자열을 연결하여 쿼리를 동적으로 생성하기 때문에, 쿼리는 emailId에 큰따옴표가 들어 있지 않은 경우에만 정확하게 동작합니다. 사용자 이름이 wiley인 공격자가 emailId에 문자열 123" || "4" != "5를 입력하면 쿼리는 다음과 같이 생성됩니다.


    this.owner == "wiley" && this.emailId == "123" || "4" != "5"
|| "4" != "5" 조건을 추가하면 where 절이 항상 true로 평가되므로 쿼리는 전자 메일 소유자와 관계없이 emails 컬렉션에 저장된 모든 항목을 반환합니다.
References
[1] Testing for NoSQL injection OWASP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 89, CWE ID 943
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [6] CWE ID 089
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [6] CWE ID 089
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [6] CWE ID 089
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [3] CWE ID 089
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [3] CWE ID 089
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [3] CWE ID 089
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.4 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.5 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 089
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 089
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 089
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3540.1 CAT I, APP3540.3 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002540 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 SQL Injection (WASC-19)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 SQL Injection
desc.dataflow.python.nosql_injection_mongodb

Null Dereference

Abstract
프로그램이 null 포인터를 역참조할 가능성이 있기 때문에 NullException이 발생합니다.
Explanation
Null 포인터 오류는 주로 프로그래머 가정을 하나 이상 위반한 결과로 발생합니다.

대부분의 null 포인터 문제는 일반적으로 소프트웨어 신뢰도 문제를 야기하지만 공격자가 의도적으로 null 포인터 역참조를 실행할 수 있는 경우 그 결과 발생하는 예외 사항을 사용하여 보안 로직을 무시하거나 차후의 공격을 계획하는 데 유용한 디버깅 정보를 응용 프로그램이 노출하도록 할 수 있습니다.

예제 1: 다음 코드에서 프로그래머는 시스템에 항상 “cmd”라는 속성이 정의되어 있다고 가정합니다. 공격자가 “cmd”가 정의되지 않도록 프로그램의 환경을 제어하게 되면 프로그램이 Trim() 메서드를 호출하려 할 때 null 포인터 예외 사항이 발생합니다.


string cmd = null;
...
cmd = Environment.GetEnvironmentVariable("cmd");
cmd = cmd.Trim();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.null_dereference
Abstract
프로그램이 null 포인터를 역참조할 가능성이 있기 때문에 조각화 오류가 발생합니다.
Explanation
Null 포인터 예외는 일반적으로 하나 이상의 프로그래머 가정을 위반했을 때 발생합니다. 이 문제는 최소한 역참조 후 검사(check-after-dereference), 검사 후 역참조(dereference-after-check) 및 저장 후 역참조(dereference-after-store)라는 세 가지 문제를 유발합니다. 역참조 후 검사(check-after-dereference) 오류는 포인터가 null인지 검사하기 전에 null이 될 수 있는 포인터를 역참조할 경우 발생합니다. 검사 후 역참조(dereference-after-check) 오류는 프로그램이 null인지 여부를 명시적으로 검사하지만, null인 것으로 알려진 포인터를 역참조할 때 발생합니다. 이 유형의 오류는 철자 오류 또는 프로그래머의 실수로 발생합니다. 저장 후 역참조(dereference-after-store) 오류는 프로그램이 명시적으로 포인터를 null로 설정하고 이를 나중에 역참조할 경우에 발생합니다. 이 오류는 프로그래머가 선언된 상태의 변수를 null로 초기화하여 발생하는 경우가 많습니다.

대부분의 null 포인터 문제는 일반적인 소프트웨어 신뢰도 문제를 야기하지만 공격자가 의도적으로 null 포인터 역참조를 실행할 수 있는 경우 그 결과 발생하는 예외 사항을 활용함으로써 보안 로직을 무시하여 Denial Of Service(DoS) 공격을 가하거나 차후의 공격을 계획하는 데 유용한 디버깅 정보를 응용 프로그램이 노출하도록 할 수 있습니다.

예제 1: 다음 코드에서 프로그래머는 변수 ptrNULL이 아닌 것으로 가정합니다. 이 가정은 프로그래머가 포인터를 역참조하면 명시적인 것이 됩니다. 프로그래머가 NULL에 대해 ptr을 검사하면 이 가정이 반박됩니다. if문에서 검사할 때 ptrNULL이 되면 역참조될 때도 NULL이 되어 조각화 오류가 발생할 수 있습니다.


ptr->field = val;
...
if (ptr != NULL) {
	...
}
예제 2: 다음 코드에서 프로그래머는 변수 ptrNULL임을 확인한 다음 실수로 역참조합니다. if문에서 검사할 때 ptrNULL이면 null dereference가 발생하여 조각화 오류가 일어납니다.


if (ptr == null) {
        ptr->field = val;
        ...
}
예제 3: 다음 코드에서 프로그래머는 '\0' 문자열이 실제로 0 또는 NULL인 것을 잊고 null 포인터를 역참조하여 조각화 오류가 일어납니다.


if (ptr == '\0') {
        *ptr = val;
        ...
}
예제 4: 다음 코드에서 프로그래머는 명시적으로 변수 ptrNULL로 설정합니다. 나중에 프로그래머는 개체의 null 값을 검사하기 전에 ptr를 역참조합니다.


*ptr = NULL;
...
ptr->field = val;
...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.null_dereference
Abstract
프로그램이 null 포인터를 역참조할 가능성이 있기 때문에 NullPointerException이 발생합니다.
Explanation
Null 포인터 오류는 주로 프로그래머 가정을 하나 이상 위반한 결과로 발생합니다.

대부분의 null 포인터 문제는 일반적으로 소프트웨어 신뢰도 문제를 야기하지만 공격자가 의도적으로 null 포인터 역참조를 실행할 수 있는 경우 그 결과 발생하는 예외 사항을 사용하여 보안 로직을 무시하거나 차후의 공격을 계획하는 데 유용한 디버깅 정보를 응용 프로그램이 노출하도록 할 수 있습니다.

예제 1: 다음 코드에서 프로그래머는 시스템에 항상 “cmd”라는 속성이 정의되어 있다고 가정합니다. 공격자가 “cmd”가 정의되지 않도록 프로그램의 환경을 제어하게 되면 프로그램이 trim() 메서드를 호출하려 할 때 null 포인터 예외 사항이 발생합니다.


String val = null;
...
cmd = System.getProperty("cmd");
if (cmd)
	val = util.translateCommand(cmd);
...
cmd = val.trim();
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 476
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [14] CWE ID 476
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [13] CWE ID 476
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [15] CWE ID 476
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [11] CWE ID 476
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [12] CWE ID 476
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [21] CWE ID 476
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[15] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 11.1.7 Business Logic Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.null_dereference

Object Model Violation: Erroneous clone() Method

Abstract
clone() 메서드는 super.clone()을 호출하여 새 개체를 얻어야 합니다.
Explanation
모든 clone() 구현은 super.clone()을 호출하여 새 개체를 얻어야 합니다. 클래스가 이 규칙을 지키지 않으면 하위 클래스의 clone() 메서드가 잘못된 형식의 개체를 반환합니다.


예제 1: 다음 두 클래스는 super.clone()을 호출하지 않아서 발생하는 버그를 보여 줍니다. Kibitzerclone()을 구현하는 방법으로 인해 FancyKibitzer의 clone 메서드는 FancyKibitzer 대신 Kibitzer 유형의 개체를 반환합니다.


public class Kibitzer implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = new Kibitzer();
    ...
  }
}

public class FancyKibitzer extends Kibitzer
                           implements Cloneable {
  public Object clone() throws CloneNotSupportedException {
    Object returnMe = super.clone();
    ...
  }
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 580
desc.structural.java.object_model_violation_erroneous_clone_method

Object Model Violation: Just one of equals() and hashCode() Defined

Abstract
이 클래스는 equals()hashCode() 중 하나만 정의합니다.
Explanation
Java 개체는 수많은 동등한 관련 규칙을 따라야 합니다. 이 규칙 중 하나는 같은 개체는 같은 해시코드를 가져야 한다는 것입니다. 즉, a.equals(b) == true이면 a.hashCode() == b.hashCode()이어야 합니다.

이 규칙을 지키지 않으면 이 클래스의 개체를 컬렉션(collection)에 저장하는 경우 문제가 발생하기 쉽습니다. 해당 클래스의 개체가 해시 테이블의 키로 사용되거나 Map 또는 Set에 삽입되는 경우, 반드시 같은 개체는 같은 해시코드를 가져야 합니다.

예제 1: 다음 클래스는 equals()를 오버라이드하지만 hashCode()는 오버라이드하지 않습니다.


public class halfway() {
  public boolean equals(Object obj) {
    ...
  }
}
References
[1] D. H. Hovermeyer FindBugs User Manual
[2] MET09-J. Classes that define an equals() method must also define a hashCode() method CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 581
desc.structural.java.object_model_violation_just_one_of_equals_hashcode_defined

Object Model Violation: Just one of restoreState() and saveState() Defined

Abstract
이 클래스는 saveState()restoreState() 중 하나만 정의합니다.
Explanation
StateHolder 인터페이스를 상속 받는 모든 클래스는 saveState(javax.faces.context.FacesContext)restoreState(javax.faces.context.FacesContext, java.lang.Object)를 구현하거나 둘 다 구현하지 않아야 합니다. 이 두 가지 메서드는 밀접한 관계가 있으므로 상속 계층의 서로 다른 수준에 saveState(javax.faces.context.FacesContext)restoreState(javax.faces.context.FacesContext, java.lang.Object) 메서드를 두는 것은 허용되지 않습니다.

예제 1: 다음 클래스는 saveState()를 정의해도 restoreState()는 정의하지 않으므로 해당 클래스를 확장하는 클래스의 모든 작업에서 항상 오류가 발생합니다.

public class KibitzState implements StateHolder {
  public Object saveState(FacesContext fc) {
    ...
  }
}
References
[1] Sun Microsystems JavaDoc for StateHolder Interface
[2] Standards Mapping - Common Weakness Enumeration CWE ID 684
desc.structural.java.object_model_violation_just_one_of_restoreState_saveState_defined

Obsolete

Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생할 수 있습니다.
Explanation
일반적으로 프로그래밍 언어가 발전하면서 메서드가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도
향상
- 특정 작업을 규정하는 규칙의 변화

언어에서 삭제되는 문은 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 문으로 교체됩니다.

특히 SAP ABAP는 ABAP 개체(ABAP의 개체 지향 확장)를 포함하고 유니코드 호환 환경에서 작동하도록 발전했습니다. 그 결과, 클래스 내 또는 유니코드 프로그램 내에서 더 엄격한 구문이 강제 실행됩니다. 더 이상 사용되지 않는 구성이 이전 버전과의 호환성 때문에 계속 유지되지만 클래스 외부 또는 비유니코드 프로그램에서만 사용할 수 있습니다. 더 이상 사용되지 않는 모든 언어 요소에는 프로그램의 효율성 및 가독성을 높이는 대체 구성이 있습니다. 더 이상 사용되지 않는 구문 내에 존재하는 대다수의 암시적이고 모호한 유형/길이/메모리 지정은 새로운 구문에서는 좀 더 정확하고 확실한 방식으로 지정되어야 합니다. 이해와 유지가 더 쉽고 더 강력한 프로그램을 만들 수 있도록 새로운 구문을 적용하는 것이 좋습니다.


보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.abap.obsolete
Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생할 수 있습니다.
Explanation
프로그래밍 언어가 발전하면서 함수가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도
향상
- 특정 작업을 규정하는 규칙의 변화


언어에서 삭제되는 함수는 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 함수로 교체됩니다.
예제 1: 다음 코드는 새 SqlClientPermission 개체를 생성하는데, 이는 사용자에게 데이터베이스 연결을 허용하는 방법을 규제합니다. 이 예제에서 프로그램은 구성자에게 false를 두 번째 매개 변수로 전달하는데, 이 값은 사용자가 빈 비밀번호로 연결할 경우의 허용 여부를 결정합니다. 이 매개 변수에 false를 전달하는 것은 빈 비밀번호를 허용할 수 없다는 뜻입니다.


...
SCP = new SqlClientPermission(pstate, false);
...


하지만 첫 번째 매개 변수로 전달되는 PermissionState 개체가 두 번째 매개 변수에 전달되는 값을 대체하기 때문에 구성자는 데이터베이스 연결에 빈 암호를 허용합니다. 이는 두 번째 인수에 위배됩니다. 빈 암호를 허용하지 않으려면 프로그램이 PermissionState.None을 구성자의 첫 번째 매개 변수에 전달해야 합니다. 이 기능상의 모호함 때문에 두 개의 매개 변수를 사용하는 SqlClientPermission 구성자 버전을 동일한 수준의 정보를 전달하면서 잘못 해석될 위험이 없는 단일 매개 변수 버전으로 교체했습니다.

보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.dotnet.obsolete
Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생할 수 있습니다.
Explanation
프로그래밍 언어가 발전하면서 함수가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도 향상
- 특정 작업을 규정하는 규칙의 변화

삭제되는 함수는 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 함수로 교체됩니다.
예제 1: 다음 코드는 사용하지 않는 함수 getpw()를 통해 일반 텍스트 비밀번호가 사용자의 암호화된 비밀번호와 일치하는지 확인합니다. 비밀번호가 올바르면 함수는 result를 1로 설정하고 그렇지 않으면 0으로 설정합니다.


	...
	getpw(uid, pwdline);
	for (i=0; i<3; i++){
	cryptpw=strtok(pwdline, ":");
		pwdline=0;
	}
result = strcmp(crypt(plainpw,cryptpw), cryptpw) == 0;
	...


아래 코드는 정상적으로 작동하는 경우도 많지만, getpw() 함수를 사용하면 보안상 문제가 될 수 있습니다. 이 함수가 두 번째 매개 변수로 전달되는 버퍼를 overflow할 수 있기 때문입니다. 이 같은 취약성 때문에 getpw()getpwuid()로 대체되었습니다. getpwuid()는 getpw()와 같은 조회 작업을 수행하지만 정적으로 할당되는 구조에 대한 포인터를 반환하여 위험을 완화합니다.

보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.cpp.obsolete
Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생하거나 오래된 버전의 ColdFusion을 사용하게 될 수 있습니다.
Explanation
프로그래밍 언어가 발전하면서 메서드가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도
향상
- 특정 작업을 규정하는 규칙의 변화

언어에서 삭제되는 메서드는 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 함수로 교체됩니다.


보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.cfml.obsolete
Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생할 수 있습니다.
Explanation
프로그래밍 언어가 발전하면서 메서드가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도
향상
- 특정 작업을 규정하는 규칙의 변화

언어에서 삭제되는 메서드는 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 함수로 교체됩니다.
예제 1: 다음 코드는 바이트 배열과 각 16비트 유니코드 문자의 상위 8비트를 지정하는 값에서 문자열 개체를 생성합니다.


...
String name = new String(nameBytes, highByte);
...


이 예에서 생성자는 nameBytes로 표시되는 문자열을 인코딩하는 데 사용되는 charset에 따라 바이트를 문자로 올바르게 변환하지 못할 수 있습니다. 문자열을 인코딩하는 데 사용되는 charset의 진화로 인해 이 생성자는 더 이상 사용되지 않으며 변환을 위해 바이트를 인코딩하는 데 사용되는 charset의 이름을 매개 변수 중 하나로 받아들이는 생성자로 교체되었습니다.

보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] MET02-J. Do not use deprecated or obsolete classes or methods CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 477
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[8] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[12] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.semantic.java.obsolete
Abstract
사용이 금지되거나 더 이상 사용되지 않는 함수를 사용하면 코드 무시가 발생할 수 있습니다.
Explanation
프로그래밍 언어가 발전하면서 메서드가 사용할 수 없게 되는 경우가 있는데 그 이유는 다음과 같습니다.

- 언어의 발전
- 효율적이고 안전한 작업 수행 방법에 대한 이해도
향상
- 특정 작업을 규정하는 규칙의 변화

언어에서 삭제되는 메서드는 일반적으로 같은 작업을 더 나은 다른 방식으로 수행하는 새 함수로 교체됩니다.
예제 1: 다음 코드에서는 우발적으로 릴리스 내에 관여하기 때문에 사용하지 않도록 문서에 명시적으로 지정된 Digest::HMAC stdlib를 사용합니다.


require 'digest/hmac'

hmac = Digest::HMAC.new("foo", Digest::RMD160)
...
hmac.update(buf)
...


이 예제에서 Digest::HMAC 클래스는 릴리스 내에 우발적으로 포함되기 때문에 관련되는 즉시 사용 중지되었습니다. 실험적 코드 및 적절하게 테스트되지 않은 코드 때문에 이 클래스가 예상대로 작동하지 않을 가능성이 있으므로, 특히 암호화 기능과 HMAC의 관련을 고려할 때 이 클래스는 사용하지 않아야 합니다.

보안 위험이 있다고 해서 모든 함수를 사용하지 않거나 바꾸는 것은 아닙니다. 하지만 사용하지 않는 함수가 있으면 주변의 코드가 무시되어 복구할 수 없는 상태가 되는 경우가 많습니다. 소프트웨어 보안은 아주 오랜 동안 우선 순위가 낮거나 심지어 고려 대상도 아니었습니다. 사용이 금지되거나 더 이상 사용되지 않는 함수를 프로그램에서 사용하는 경우, 주위에 보안 문제가 발생할 가능성이 높아집니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 477
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002617
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 1.5
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-2 Flaw Remediation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-2 Flaw Remediation
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.6 Configuration Architectural Requirements (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002610 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002610 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002610 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002610 CAT II
[11] Standards Mapping - Smart Contract Weakness Classification SWC-111
desc.structural.ruby.obsolete

Often Misused: Android Permission Check

Abstract
checkCallingOrSelfPermission() 또는 checkCallingOrSelfUriPermission() 함수는 필요한 권한이 없거나 권한이 전혀 없는 호출 프로그램이 해당 응용 프로그램의 권한을 사용하여 권한 검사를 우회할 수 있도록 하므로 조심해서 사용해야 합니다.
Explanation
checkCallingOrSelfPermission() 또는 checkCallingOrSelfUriPermission() 함수는 호출 프로그램이 특정 서비스 또는 지정된 URI에 액세스하는 데 필요한 권한이 있는지 확인합니다. 그러나 이러한 함수는 해당 응용 프로그램 권한을 가정하여 적절한 권한이 없는 악성 응용 프로그램에 액세스 권한을 부여할 수 있으므로 조심해서 사용해야 합니다.

다시 말해, 적절한 권한이 없기 때문에 리소스에 대한 접근이 거부되어야 하는 악성 응용 프로그램이 해당 응용 프로그램의 권한을 사용하여 권한 검사를 우회할 수 있다는 것입니다. 이로 인해 confused deputy 공격이라고 하는 문제가 발생할 수 있습니다.
References
[1] Designing for Security Android
[2] Context: Android Developers Android
[3] Standards Mapping - Common Weakness Enumeration CWE ID 732
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.5 Access Control Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.java.often_misused_android_permission_check

Often Misused: Authentication

Abstract
공격자가 DNS 항목을 스푸핑할 수 있습니다. 보안을 DNS 이름에 의존하지 마십시오.
Explanation
많은 DNS 서버가 스푸핑 공격에 취약하기 때문에 언젠가는 소프트웨어가 손상된 DNS 서버가 있는 환경에서 실행될 수도 있다고 가정해야 합니다. 공격자가 DNS 업데이트를 수행할 수 있게 되면(DNS 캐시 감염(cache-poisoning)이라고도 함) 네트워크 트래픽을 자신의 시스템을 통과하도록 라우팅하거나 자신의 IP 주소가 사용자 도메인의 일부로 보이도록 만듭니다. 시스템 보안을 DNS 이름에 맡길 수 없습니다.
예제 1: 다음 코드 샘플은 DNS 조회를 사용하여 인바운드 요청이 신뢰할 수 있는 호스트의 것인지 여부를 결정합니다. 공격자가 DNS 캐시를 감염시키면 신뢰할 수 있는 지위를 얻게 됩니다.


 IPAddress hostIPAddress = IPAddress.Parse(RemoteIpAddress);
 IPHostEntry hostInfo = Dns.GetHostByAddress(hostIPAddress);
 if (hostInfo.HostName.EndsWith("trustme.com")) {
   trusted = true;
 }


IP 주소는 DNS 이름보다는 신뢰할 수 있지만 역시 스푸핑될 수 있습니다. 공격자는 쉽게 자신들이 보내는 패킷의 원본 IP 주소를 위조할 수 있지만 응답 패킷은 위조된 IP 주소로 반환됩니다. 응답 패킷을 보려면 공격자는 피해자 시스템과 위조된 IP 주소 사이의 트래픽을 염탐해야 합니다. 공격자는 원하는 염탐을 수행하기 위해 보통 피해자 컴퓨터와 같은 서브넷에 있으려고 합니다. 공격자가 소스 라우팅을 사용하면 이 요구 사항을 피해 갈 수도 있지만 오늘날 인터넷의 상당 부분에서 소스 라우팅을 허용하지 않습니다. 간단히 말해, IP 주소 확인은 인증 기법의 필수적인 부분이기는 하지만 authentication에 필요한 유일한 요소는 아닙니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.often_misused_authentication
Abstract
getlogin() 함수는 스푸핑하기 쉽습니다. 함수가 반환하는 이름을 신뢰하지 마십시오.
Explanation
getlogin() 함수는 현재 터미널에 로그인한 사용자의 이름이 들어 있는 문자열을 반환하는 함수이지만 공격자가 getlogin()이 시스템에 로그인한 사용자의 이름을 반환하게 만들 수 있습니다. 보안 결정을 내릴 때 getlogin()이 반환하는 이름에 의존해서는 안 됩니다.
예제 1:다음 코드는 getlogin()에 의존하여 사용자에 대한 신뢰 여부를 결정합니다. 이 함수는 쉽게 조작할 수 있습니다.


 pwd = getpwnam(getlogin());
 if (isTrustedGroup(pwd->pw_gid)) {
 allow();
 } else {
 deny();
 }
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.cpp.often_misused_authentication.getlogin
Abstract
공격자가 DNS 항목을 스푸핑할 수 있습니다. 보안을 DNS 이름에 의존하지 마십시오.
Explanation
많은 DNS 서버가 스푸핑 공격에 취약하기 때문에 언젠가는 소프트웨어가 손상된 DNS 서버가 있는 환경에서 실행될 수도 있다고 가정해야 합니다. 공격자가 DNS 업데이트를 수행할 수 있게 되면(DNS 캐시 감염(cache-poisoning)이라고도 함) 네트워크 트래픽을 자신의 시스템을 통과하도록 라우팅하거나 자신의 IP 주소가 사용자 도메인의 일부로 보이도록 만듭니다. 시스템 보안을 DNS 이름에 맡길 수 없습니다.
예제 1: 다음 코드는 DNS 조회를 사용하여 인바운드 요청이 신뢰할 수 있는 호스트의 것인지 여부를 결정합니다. 공격자가 DNS 캐시를 감염시키면 신뢰할 수 있는 지위를 얻게 됩니다.


 String ip = request.getRemoteAddr();
 InetAddress addr = InetAddress.getByName(ip);
 if (addr.getCanonicalHostName().endsWith("trustme.com")) {
 trusted = true;
 }


IP 주소는 DNS 이름보다는 신뢰할 수 있지만 역시 스푸핑될 수 있습니다. 공격자는 쉽게 자신들이 보내는 패킷의 원본 IP 주소를 위조할 수 있지만 응답 패킷은 위조된 IP 주소로 반환됩니다. 응답 패킷을 보려면 공격자는 피해자 시스템과 위조된 IP 주소 사이의 트래픽을 염탐해야 합니다. 공격자는 원하는 염탐을 수행하기 위해 보통 피해자 컴퓨터와 같은 서브넷에 있으려고 합니다. 공격자가 소스 라우팅을 사용하면 이 요구 사항을 피해 갈 수도 있지만 오늘날 인터넷의 상당 부분에서 소스 라우팅을 허용하지 않습니다. 간단히 말해, IP 주소 확인은 인증 기법의 필수적인 부분이기는 하지만 authentication에 필요한 유일한 요소는 아닙니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 247, CWE ID 292, CWE ID 558, CWE ID 807
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000877
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-11 Re-Authentication (P0), MA-4 Nonlocal Maintenance (P2), SC-23 Session Authenticity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 MA-4 Nonlocal Maintenance, SC-11 Trusted Path, SC-23 Session Authenticity
[7] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 807
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 807
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3460 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3460 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3460 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3460 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3460 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3460 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3460 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001970 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.java.often_misused_authentication

Often Misused: Boolean.getBoolean()

Abstract
Boolean.getBoolean() 메서드는 Boolean.valueOf() 또는 Boolean.parseBoolean() 메서드 호출과 혼동하는 경우가 많습니다.
Explanation
대부분의 경우 Boolean.getBoolean()에 대한 호출은 지정된 문자열 인수로 나타내는 부울 값을 반환하는 것으로 가정하기 때문에 자주 오용됩니다. 그러나 Javadoc에 언급된 것처럼 Boolean.getBoolean(String) 메서드는 "해당 인수에 의해 명명된 시스템 속성이 존재하고 'true' 문자열과 동일한 경우에만 true를 반환합니다."

개발자들이 가장 자주 사용하려고 했던 것은 Boolean.valueOf(String) 또는 Boolean.parseBoolean(String) 메서드 호출이었습니다.
예제 1: 다음 코드는 예상대로 작동하지 않습니다. Boolean.getBoolean(String)이 String 기본 형식을 변환하지 못하기 때문에 "FALSE"를 출력합니다. 이 코드는 시스템 속성만 변환합니다.

 ...
 String isValid = "true";
 if ( Boolean.getBoolean(isValid) ) {
     System.out.println("TRUE");
 }
 else {
     System.out.println("FALSE");
 }
 ...
References
[1] Class Boolean Oracle
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.semantic.java.often_misused_boolean_getboolean