531 개 항목 찾음

취약점

Android Bad Practices: Use of Released SQLite Resource

Java/JSP

Abstract

코드는 미리 릴리스한 후 Android 데이터베이스 처리기를 참조합니다.

Explanation

코드는 미리 닫고 난 후 Android SQLite 데이터베이스 처리기를 사용하려고 합니다. 데이터베이스 연결을 다시 설정하지 않은 처리기에 대한 자세한 참조는 예외를 발생시키며, 예외가 발생하지 않은 경우 응용 프로그램 손상을 일으킬 수 있습니다.

예제: 다음 코드는 메모리의 사용자 값을 일시적으로 캐시하는 프로그램에서 나올 수 있지만 flushUpdates()를 호출하여 디스크에 대한 변경 내용을 커밋할 수 있습니다. 메서드는 데이터베이스에 업데이트를 작성한 후 데이터베이스 처리기를 올바르게 닫습니다. 그러나 flushUpdates()가 다시 호출될 경우, 재초기화 전에 데이터베이스 개체를 다시 참조합니다.


public class ReuseDBActivity extends Activity {
  private myDBHelper dbHelper;
  private SQLiteDatabase db;

  @Override
  public void onCreate(Bundle state) {
      ...
      db = dbHelper.getWritableDatabase();
      ...
  }
  ...

  private void flushUpdates() {
      db.insert(cached_data);     // flush cached data
      dbHelper.close();
  }
  ...
}

References

[1] Data Storage, Android Developers

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - Common Weakness Enumeration CWE ID 416

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.java.android_bad_practices_use_of_released_sqlite_resource

Android Bad Practices: Weak Authentication

Java/JSP

Abstract

프로그램은 비공개 및/또는 장치 관련 정보를 사용하여 UUID(Universally Unique Identifier)를 생성합니다.

Explanation

하드웨어 및 장치 관련 ID는 데이터를 지우고 공장 기본값으로 재설정한 후에도 유지됩니다. 따라서 이러한 ID에 의존하여 사용자에게 권한을 부여하거나 사용자를 인증하는 데 사용되는 고유 ID를 생성하지 않아야 합니다.

또한 개인 정보와 관련될 수 있는 UUID(Universally Unique Identifier)의 누출은 사용자 개인 정보 및 보안에 위협이 됩니다.

References

[1] Designing for Security Android

[2] OWASP Top 10 Mobile Risks OWASP

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark partial

[8] Standards Mapping - Common Weakness Enumeration CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[15] Standards Mapping - FIPS200 CM, SC

[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[19] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[23] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II, APSC-DV-001970 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.dataflow.java.android_bad_practices_weak_authentication

Android Class Loading Hijacking

Java/JSP

Abstract

신뢰할 수 없는 소스 또는 신뢰할 수 없는 환경에서 클래스를 로드하면 응용 프로그램이 공격자 대신 악의적인 명령을 실행할 수 있습니다.

Explanation

Android 클래스 로드 하이재킹 취약점은 다음 두 가지 형태로 나타납니다.

- 프로그램이 클래스를 로드하기 위해 검색하는 디렉터리의 이름을 공격자가 변경하여 자신이 제어권을 가진 디렉터리를 가리키도록 할 수 있습니다. 즉, 클래스를 검색할 경로를 공격자가 명시적으로 제어합니다.

- 클래스가 로드되는 환경을 공격자가 변경할 수 있습니다. 즉, 공격자가 암시적으로 경로 이름의 의미를 제어합니다.

이 경우에는 공격자가 로드할 클래스를 검색하는 디렉터리를 제어할 수 있는 첫 번째 시나리오를 집중적으로 살펴보겠습니다. 이러한 유형의 Android 클래스 로드 하이재킹 취약점은 다음 경우에 발생합니다.

1. 신뢰할 수 없는 소스에서 데이터가 응용 프로그램에 입력됩니다.

2. 데이터는 로드할 클래스를 찾을 라이브러리 디렉터리를 나타내는 문자열 또는 문자열의 일부로 사용됩니다.

3. 응용 프로그램은 라이브러리 경로의 코드를 실행하여 공격자에게 공격자가 다른 방법으로는 얻을 수 없는 권한 또는 기능을 부여합니다.

예제 1: 다음 코드는 사용자가 변경 가능한 userClassPath를 사용하여 로드할 클래스를 검색할 디렉터리를 결정합니다.


...
  productCategory = this.getIntent().getExtras().getString("userClassPath");
  DexClassLoader dexClassLoader = new DexClassLoader(productCategory, optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
  ...

이 코드를 통해 공격자는 userClassPath의 결과를 자신이 제어하는 다른 경로를 가리키도록 수정할 수 있기 때문에 공격자가 라이브러리를 로드하고 응용 프로그램의 높은 권한으로 임의 코드를 실행할 수 있습니다. 프로그램이 환경에서 읽은 값을 확인하지 않기 때문에 공격자가 userClassPath의 값을 제어할 수 있으면, 공격자가 제어하는 디렉터리를 가리키도록 응용 프로그램을 속일 수 있고 이에 따라 공격자가 정의한 클래스를 원래 응용 프로그램과 동일한 권한으로 로드할 수 있습니다.

예제 2: 다음 코드는 사용자가 변경 가능한 userOutput를 사용하여 로드할 클래스를 검색할 디렉터리를 결정합니다.


...
  productCategory = this.getIntent().getExtras().getString("userOutput");
  DexClassLoader dexClassLoader = new DexClassLoader(sanitizedPath, productCategory, null, getClassLoader());
...

이 코드에서는 공격자가 ODEX(Optimized DEX) 파일의 출력 디렉터리를 지정하는 것이 가능합니다. 그러면 악의적인 사용자가 userOutput의 값을 외부 저장소와 같은 자신이 제어하는 디렉터리로 변경할 수 있습니다. 이렇게 되면 출력된 ODEX 파일을 악의적 ODEX 파일로 바꾸기만 하면 원래 응용 프로그램과 동일한 권한으로 실행됩니다.

References

[1] Android Class Loading Hijacking Symantec

desc.dataflow.java.android_class_loading_hijacking

Android Misconfiguration: Debug Information

Java/JSP

Abstract

디버깅 메시지는 공격자가 시스템을 파악하고 공격 형태를 계획하는 데 도움이 됩니다.

Explanation

디버그 바이너리를 생성하도록 Android 응용 프로그램을 구성할 수 있습니다. 이러한 바이너리는 자세한 디버깅 메시지를 제공하므로 운영 환경에서 사용해서는 안 됩니다. <application> 태그의 debuggable 속성은 컴파일된 바이너리에 디버깅 정보를 포함할지 여부를 정의합니다.

디버그 바이너리를 사용하면 응용 프로그램이 사용자에게 가능한 한 많은 정보를 제공하게 됩니다. 디버그 바이너리는 개발 또는 테스트 환경에서 사용하기 위한 것이며 운영 환경에 배포할 경우 보안 위험을 초래할 수 있습니다. 공격자는 디버깅 출력에서 얻은 자세한 정보를 이용하여 응용 프로그램이 사용하는 프레임워크, 데이터베이스 또는 기타 리소스를 공격할 수 있습니다.

References

[1] JavaDoc for Android Android

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 11

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M10 Lack of Binary Protections

[21] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.android_misconfiguration_debug_information

Axis 2 Misconfiguration: Debug Information

Java/JSP

Abstract

SOAP Monitor 모듈을 사용하면 공격자가 SOAP 트래픽을 스니핑할 수 있습니다.

Explanation

Apache Axis 2는 Java 애플릿을 통해 들어오고 나가는 SOAP 메시지를 모니터링할 수 있는 개발자 유틸리티를 제공합니다. SOAP Monitor는 웹 서비스를 호출하는 데 사용되는 모든 SOAP 메시지를 보여줍니다. 공격자는 이 유틸리티를 사용하여 웹 서비스와 해당 클라이언트 간의 트래픽을 도청할 수 있습니다.

References

[1] Using the SOAP Monitor Apache Software Foundation

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 215

[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[12] Standards Mapping - FIPS200 CM

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling

[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[25] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.axis2_misconfiguration_debug_information

Axis 2 Misconfiguration: Insecure Message Security

Java/JSP

Abstract

Apache Axis 2가 REST를 사용하도록 구성되어 있으며 REST에 메시지 보안 표준이 없습니다.

Explanation

서비스가 메시지를 다른 서비스로 릴레이하는 경우 메시지는 릴레이 지점 간에 사용되는 가장 약한 전송 메커니즘에 노출됩니다. REST 자체에는 보안 메커니즘이 포함되어 있지 않으므로 이 서비스는 메시지 무결성 및 기밀성을 전송 계층에 의존합니다.

다음 구성은 REST를 활성화합니다.


<axisconfig name="AxisJava2.0">
...
    <parameter name="disableREST" locked="true">false</parameter>
...
</axisconfig>

References

[1] Axis2 Apache Software Foundation

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 311

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422

[9] Standards Mapping - FIPS200 CM, SC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.axis2_misconfiguration_insecure_message_security

Axis 2 Misconfiguration: Insecure Transport Receiver

Java/JSP

Abstract

이 구성은 민감한 정보에 대한 액세스에 SSL을 요구해야 합니다.

Explanation

응용 프로그램이 민감한 정보를 다루는데 메시지 수준 암호화를 사용하지 않는 경우, 암호화된 전송 채널을 통해서만 통신이 허용되어야 합니다.

References

[1] HTTP Transport Apache Software Foundation

[2] Axis2 Configuration Guide Apache Software Foundation

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 311

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[10] Standards Mapping - FIPS200 CM, SC

[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[22] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[23] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.axis2_misconfiguration_insecure_transport_receiver