계: Errors

오류 및 오류 처리는 API 클래스를 나타냅니다. 오류 처리와 관련된 오류는 매우 흔하므로 따로 다룰 만한 내용입니다. "API 오용"과 마찬가지로 오류 관련 보안 취약성을 일으키는 두 가지 원인이 있습니다. 가장 흔한 것은 오류를 제대로(혹은 아예) 처리하지 못하는 것입니다. 두 번째는 (잠재적 공격자에게) 너무 많은 정보를 제공하거나 처리하기 어려운 오류를 발생시키는 것입니다.

14 개 항목 찾음
취약점

Poor Error Handling: Program Catches NullPointerException

Abstract
NullPointerException을 캐치(catch)하는 것은 일반적으로 잘못된 관행입니다.
Explanation
프로그래머는 보통 다음 세 가지 경우에 NullPointerException을 캐치(catch)합니다.

1. 프로그램에 null 포인터 역참조가 있습니다. 결과로 생기는 예외를 catch하는 것이 근본 문제를 수정하는 것보다 쉽습니다.

2. 프로그램이 명시적으로 NullPointerException을 발생시켜 오류 조건을 알립니다.

3. 코드가 예기치 않은 입력을 테스트 중인 클래스에 제공하는 테스트 프로그램(test harness)의 일부입니다.

세 가지 중 마지막 경우만 허용됩니다.

예제: 다음 코드는 NullPointerException을 캐치(catch)하는 오류를 범합니다.


  try {
    mysteryMethod();
  }
  catch (NullPointerException npe) {
  }
References
[1] ERR08-J. Do not catch NullPointerException or any of its ancestors CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 395
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[11] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_program_catches_nullpointerexception

Poor Error Handling: Program Catches NullReferenceException

Abstract
NullReferenceException을 캐치(catch)하는 것은 일반적으로 잘못된 관행입니다.
Explanation
프로그래머는 보통 다음 세 가지 경우에 NullReferenceException을 캐치(catch)합니다.

1. 프로그램에 null 포인터 역참조가 있습니다. 결과로 생기는 예외를 catch하는 것이 근본 문제를 수정하는 것보다 쉽습니다.

2. 프로그램이 명시적으로 NullReferenceException을 발생시켜 오류 조건을 알립니다.

3. 코드가 예기치 않은 입력을 테스트 중인 클래스에 제공하는 테스트 프로그램(test harness)의 일부입니다.

세 가지 중 마지막 경우만 허용됩니다.

예제: 다음 코드는 NullReferenceException을 잘못 catch합니다.

  try {
    MysteryMethod();
  }
  catch (NullReferenceException npe) {
  }
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 395
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[10] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.dotnet.poor_error_handling_program_catches_nullreferenceexception

Poor Error Handling: Return Inside Finally

Abstract
finally 블록 내부에서 반환하면 예외 사항이 손실될 수 있습니다.
Explanation
finally 블록에 return 문이 있으면 try 블록에서 발생하는 예외 사항이 사라질 수 있습니다.

예제 1: 다음 발췌된 코드에서 전달된 true와 함께 두 번째 doMagic 호출에서 발생한 MagicException은 호출자에게 전달되지 않습니다. finally 블록에 return 문이 있으면 예외 사항이 사라집니다.


public class MagicTrick {

public static class MagicException extends Exception { }

public static void main(String[] args) {

  System.out.println("Watch as this magical code makes an " +
                     "exception disappear before your very eyes!");

  System.out.println("First, the kind of exception handling " +
                     "you're used to:");
  try {
    doMagic(false);
  } catch (MagicException e) {
    // An exception will be caught here
    e.printStackTrace();
  }

  System.out.println("Now, the magic:");
  try {
    doMagic(true);
  } catch (MagicException e) {
    // No exception caught here, the finally block ate it
    e.printStackTrace();
  }
  System.out.println("tada!");
}

public static void doMagic(boolean returnFromFinally)
throws MagicException {

  try {
    throw new MagicException();
  }
  finally {
    if (returnFromFinally) {
      return;
    }
  }
}

}
References
[1] ERR04-J. Do not complete abruptly from a finally block CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 584
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[8] Standards Mapping - FIPS200 AU
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[12] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_return_inside_finally
Abstract
finally 블록 내부에서 반환하면 예외 사항이 손실될 수 있습니다.
Explanation
finally 블록에 return 문이 있으면 try 블록에서 발생하는 예외 사항이 사라질 수 있습니다.

예제 1: 다음 발췌된 코드에서 전달된 True와 함께 두 번째 doMagic 호출에서 발생한 exception은 호출자에게 전달되지 않습니다. finally 블록에 return 문이 있으면 예외 사항이 사라집니다.

        "disappear before your very eyes!" . PHP_EOL;

echo "First, the kind of exception handling " .
        "you're used to:" . PHP_EOL;

try {
    doMagic(False);
} catch (exception $e) {
    // An exception will be caught here
    echo $e->getMessage();
}

echo "Now, the magic:" . PHP_EOL;

try {
    doMagic(True);
} catch (exception $e) {
    // No exception caught here, the finally block ate it
    echo $e->getMessage();
}

echo "Tada!" . PHP_EOL;

function doMagic($returnFromFinally) {
    try {
        throw new Exception("Magic Exception" . PHP_EOL);
    }
    finally {
        if ($returnFromFinally) {
            return;
        }
    }
}
?>
References
[1] ERR04-J. Do not complete abruptly from a finally block CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 584
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[8] Standards Mapping - FIPS200 AU
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[12] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.php.poor_error_handling_return_inside_finally

Poor Error Handling: Swallowed ThreadDeath

Abstract
ThreadDeath 오류가 다시 발생하지 않는 경우, 문제의 스레드는 실제로 정지된 것이 아닐 수도 있습니다.
Explanation
ThreadDeath 오류는 응용 프로그램을 비동기적으로 종료한 후 정리해야 할 경우에만 발생되어야 합니다. ThreadDeath 오류가 발생한 경우, 스레드가 실제로 정지하도록 다시 발생시키는 것이 중요합니다. ThreadDeath 발생의 목적은 스레드를 중단시키는 것입니다. ThreadDeath를 덮어버리면 스레드 중단을 막을 수 있고 원래 ThreadDeath를 발생시킨 사람은 누구라도 스레드 중단을 기대하므로 예기치 못한 동작이 발생할 수 있습니다.

예제 1: 다음 코드는 ThreadDeath 오류를 찾지만 다시 발생시키지 않습니다.

try
{
//some code
}
catch(ThreadDeath td)
{
//clean up code
}
References
[1] Oracle Class ThreadDeath
[2] Scott Oaks, Henry Wong Java Threads O'Reilly
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 705
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[12] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_swallowed_threaddeath

Poor Error Handling: Throw Inside Finally

Abstract
finally 블록 내에서 throw 문을 사용하면 try-catch-finally를 통한 논리 진행이 깨집니다.
Explanation
Java에서 finally 블록은 항상 해당 try-catch 블록 뒤에서 실행되며 대개 파일 핸들 또는 데이터베이스 커서와 같이 할당된 리소스를 해제하는 데 사용됩니다. finally 블록에서 예외를 발생시키면 정상적인 프로그램 실행이 손상되므로 중요한 정리 코드를 무시할 수 있습니다.

예제 1: 다음 코드에서 stmt.close()에 대한 호출은 FileNotFoundException이 발생할 때 무시됩니다.

public void processTransaction(Connection conn) throws FileNotFoundException
{
    FileInputStream fis = null;
    Statement stmt = null;
    try
    {
        stmt = conn.createStatement();
        fis = new FileInputStream("badFile.txt");
        ...
    }
    catch (FileNotFoundException fe)
    {
        log("File not found.");
    }
    catch (SQLException se)
    {
        //handle error
    }
    finally
    {
        if (fis == null)
        {
            throw new FileNotFoundException();
        }

        if (stmt != null)
        {
            try
            {
                stmt.close();
            }
            catch (SQLException e)
            {
                log(e);
            }
        }
    }
}
References
[1] Sun Microsystems, Inc. Java Sun Tutorial
[2] ERR05-J. Do not let checked exceptions escape from a finally block CERT
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 398
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[9] Standards Mapping - FIPS200 AU
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[13] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
desc.structural.java.poor_error_handling_throw_inside_finally

Poor Error Handling: Unhandled Exception

Abstract
예외를 올바르게 처리하지 못하면 응용 프로그램이 예기치 않은 상태 및 조건을 간과할 수 있습니다.
Explanation
Unhandled exception 취약점은 다음 경우에 발생합니다.

1. 예외 사항이 발생합니다.

2. 현재 페이지를 이스케이프 처리하기 전에 예외 사항이 올바르게 처리되지 않았습니다.

소프트웨어에 대한 대부분의 심각한 공격은 프로그래머의 가정 위반에서 비롯됩니다. 공격 후, 프로그래머의 가정은 취약하고 근거가 빈약해 보이지만 공격 전에는 많은 프로그래머가 열심히 자신의 가정을 옹호하게 마련입니다.

코드에서 흔히 발견되는 두 가지 의심스런 가정은 "이 작업은 절대 실패하지 않는다" 및 "이 작업이 실패해도 상관 없다"입니다. 프로그래머가 작업에 발생할 수 있는 예외 사항을 캐치(catch)하지 못한 경우, 암시적으로 이 가정 중 하나에 따라 동작하는 것으로 볼 수 있습니다.
References
[1] Adobe Exceptions in ColdFusion 5
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 248
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[9] Standards Mapping - FIPS200 AU
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[13] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.2 Error Handling (L2 L3)
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cfml.unhandled_exception

Poor Error Handling: Unhandled SSL Exception

Abstract
SSL 예외를 명시적으로 처리하지 못하면 응용 프로그램이 예기치 않은 상태 및 조건을 간과할 수 있습니다.
Explanation
Unhandled SSL exception 취약점은 다음 경우에 발생합니다.

1. SSL 특정 예외가 발생합니다.

2. 예외 사항이 올바로 처리되지 않습니다.

SSL 특정 예외 javax.net.ssl.SSLHandshakeException, javax.net.ssl.SSLKeyExceptionjavax.net.ssl.SSLPeerUnverifiedException 모두 SSL 연결과 관련된 중요한 오류를 전달합니다. 이러한 오류가 올바로 처리되지 않는 경우, 이 연결은 예상치 못한 상태 및 잠재적 불안정 상태가 될 수 있습니다.

소프트웨어에 대한 대부분의 심각한 공격은 프로그래머의 가정 위반에서 비롯됩니다. 공격 후, 프로그래머의 가정은 취약하고 근거가 빈약해 보이지만 공격 전에는 많은 프로그래머가 열심히 자신의 가정을 옹호하게 마련입니다.

코드에서 흔히 발견되는 두 가지 의심스런 가정은 "이 작업은 절대 실패하지 않는다" 및 "이 작업이 실패해도 상관 없다"입니다. 프로그래머가 작업에 발생할 수 있는 예외 사항을 캐치(catch)하지 못한 경우, 암시적으로 이 가정 중 하나에 따라 동작하는 것으로 볼 수 있습니다.
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 248
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-003272
[7] Standards Mapping - FIPS200 AU
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[11] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.4.2 Error Handling (L2 L3)
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective B.3.2 - Terminal Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002310 CAT I, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[48] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.poor_error_handling_unhandled_ssl_exception