35 개 항목 찾음

취약점

ASP.NET Misconfiguration: Missing HMAC Signature

C#/VB.NET/ASP.NET

Abstract

이 응용 프로그램은 암호화를 사용하도록 구성된 경우 ASP.NET에서 수행하는 서명 확인을 비활성화하는 속성을 설정합니다.

Explanation

기본적으로 ASP.NET은 ViewState, FormsAuth cookies 및 ScriptResource.axd URL과 같은 페이로드를 해독하기 전에 암호화 서명을 내부에서 검증하고 추가 처리를 위해 이러한 값을 응용 프로그램에 전달합니다. 그러나 aspnet:UseLegacyEncryption 설정을 사용하여 페이로드 해독 전에 암호화 서명 확인을 비활성화하도록 이 기능을 수정할 수 있습니다. 그러면 악성 클라이언트에서 암호화된 데이터를 해독, 위조 또는 변조할 수 있습니다.

예제 1: 다음 예에서, aspnet:UseLegacyEncryption이 true로 설정됩니다.


...
  <appSettings>
    <add key="aspnet:UseLegacyEncryption" value="true" />
  </appSettings>
...

References

[1] ASP.NET appSettings Element Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 345

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[4] Standards Mapping - FIPS200 CM, SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.configuration.dotnet.asp_dotnet_misconfiguration_missing_hmac_signature

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

C#/VB.NET/ASP.NET

Abstract

모델 클래스는 필수 속성과 비필수 속성을 모두 포함하기 때문에 over-posting 공격에 취약할 수 있습니다.

Explanation

[Required] 속성으로 표시되는 필수 속성과 [Required] 속성으로 표시되지 않는 옵션 속성이 모두 포함된 모델 클래스를 사용하는 경우, 공격자가 필요한 것보다 많은 데이터가 포함된 요청을 전달하면 문제가 발생할 수 있습니다.

ASP.NET MVC 프레임워크는 요청 매개 변수를 모델 속성에 바인딩하려고 합니다.

모델에 바인딩할 매개 변수를 명시적으로 전달하지 않고 필수 속성과 비필수 속성을 혼합하여 포함하고 있으면 내부용 모델 속성을 공격자가 제어하게 될 수 있습니다.

다음 코드는 [Required]가 지정된 속성과 [Required]가 지정되지 않은 속성이 포함된 가능 모델 클래스를 정의합니다.


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}

옵션 매개 변수를 사용하여 응용 프로그램 동작을 변경할 수 있는 경우 공격자가 요청에서 옵션 매개 변수를 전달하면 해당 동작을 실제로 변경할 수 있습니다.

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] BindAttribute Class

[3] RequiredAttribute Class

[4] Standards Mapping - Common Weakness Enumeration CWE ID 345

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

C#/VB.NET/ASP.NET

Abstract

모델 클래스는 null이 허용되지 않는 필수 속성을 포함하기 때문에 under-posting 공격에 취약할 수 있습니다.

Explanation

null이 허용되지 않는 필수 속성([Required] 속성으로 표시됨)이 포함된 모델 클래스를 사용하는 경우, 공격자가 필요한 것보다 적은 데이터가 포함된 요청을 전달하면 문제가 발생할 수 있습니다.

ASP.NET MVC 프레임워크는 요청 매개 변수를 모델 속성에 바인딩하려고 합니다.

모델에 null이 허용되지 않는 필수 매개 변수가 포함되어 있는데 공격자가 요청 시 필수 매개 변수를 전달하지 않는 경우, 즉 공격자가 under-posting 공격을 사용하면 속성에 기본값(보통 0)이 지정되므로 [Required] 확인 속성이 충족됩니다. 따라서 응용 프로그램이 예기치 않게 동작할 수 있습니다.

다음 코드는 null이 허용되지 않는 필수 열거가 포함된 가능 모델 클래스를 정의합니다.


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] Standards Mapping - Common Weakness Enumeration CWE ID 345

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[11] Standards Mapping - OWASP Top 10 2010 A1 Injection

[12] Standards Mapping - OWASP Top 10 2013 A1 Injection

[13] Standards Mapping - OWASP Top 10 2017 A1 Injection

[14] Standards Mapping - OWASP Top 10 2021 A03 Injection

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

C#/VB.NET/ASP.NET

Abstract

모델 클래스는 필수 속성을 포함하며 유형이 상위 모델 유형의 옵션 멤버이므로 under-posting 공격에 취약할 수 있습니다.

Explanation

필수 속성을 포함하며 유형이 상위 모델 클래스의 옵션 멤버인 모델 클래스는 공격자가 필요한 것보다 적은 데이터가 포함된 요청을 전달하면 under-posting 공격에 취약해질 수 있습니다.

ASP.NET MVC 프레임워크는 하위 모델을 포함한 요청 매개 변수를 모델 속성에 바인딩하려고 합니다.

하위 모델이 옵션인 경우, 즉 상위 모델에 [Required] 속성이 없는 속성이 있는 경우에 공격자가 해당 하위 모델을 전달하지 않으면 상위 모델에는 null 값이 지정되고 하위 모델의 필수 필드가 모델 확인을 통해 어설션되지 않습니다. 이는 under-posting 공격의 한 형태입니다.

다음의 모델 클래스 정의를 살펴보십시오.


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}

공격자가 ParentModel.Child 속성의 값을 전달하지 않으면 ChildModel.RequiredProperty 속성에 [Required]가 지정되며, 이 값은 어설션되지 않습니다. 따라서 예기치 않은 부적절한 결과가 발생할 수 있습니다.