1437 개 항목 찾음

취약점

Azure Terraform Misconfiguration: Improper Key Vault Network Access Control

Abstract

구성이 액세스 권한이 지나치게 광범위한 네트워크 규칙을 정의합니다.

Explanation

느슨한 액세스 구성은 시스템을 노출시키고 조직의 공격 표면을 확장합니다. 공개 상호 작용이 가능한 서비스는 일반적으로 악의적인 엔터티의 거의 지속적인 검색 및 조사에 노출됩니다.

이는 노출된 서비스에 대한 제로데이 익스플로이트가 검색되어 게시되는 경우(예: Heartbleed) 특히 문제가 됩니다. 공격자는 패치되지 않고 노출된 시스템을 적극적으로 추적하고 검색하여 악용할 수 있습니다.

References

[1] Microsoft Configure Azure Storage firewalls and virtual networks

[2] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

[3] Standards Mapping - Common Weakness Enumeration CWE ID 749

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-001813, CCI-002165

[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), SC-3 Security Function Isolation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.azure.misconfiguration_improper_network_access_control.base

Azure Terraform Misconfiguration: Improper Logic App CORS Policy

Abstract

구성이 지나치게 허용적인 CORS 정책을 설정합니다.

Explanation

CORS(원본 간 리소스 공유)는 다른 도메인에서 호스팅되는 웹 페이지에서 액세스할 도메인 리소스에 대한 정책을 도메인에서 정의할 수 있도록 하는 기술입니다. 역사적으로 웹 브라우저는 동일 출처 정책을 준수하기 위해 다른 도메인에서 로드된 스크립트가 도메인 리소스에 액세스하는 것을 제한했습니다.
CORS는 도메인에서 다른 도메인을 허용 목록에 추가하고 해당 리소스에 액세스할 수 있도록 하는 방법을 제공합니다.

CORS 정책을 정의할 때는 주의를 기울이십시오. 도메인 또는 도메인의 디렉터리에 대해 서버 수준에서 지나치게 허용적인 정책을 구성할 경우 도메인 간 액세스에 대한 콘텐트가 의도한 것보다 많이 노출될 수 있기 때문입니다. CORS는 악성 응용 프로그램과 피해 응용 프로그램 간의 부적절한 통신을 가능하게 하여 정보 공개, 스푸핑, 데이터 절도, 릴레이 또는 기타 공격으로 이어지게 됩니다.

CORS를 구현하면 응용 프로그램의 공격 표면이 증가할 수 있으며 필요한 경우에만 사용해야 합니다.

References

[1] W3C Cross-Origin Resource Sharing

[2] Michael Schmidt HTML5 Web Security

[3] Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, and Frank Piessens A Security Analysis of Next Generation Web Standards

[4] James Kettle Exploiting CORS misconfigurations for Bitcoins and bounties

[5] Standards Mapping - Common Weakness Enumeration CWE ID 942

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414

[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.4.6 HTTP Security Headers Requirements (L1 L2 L3), 14.5.3 Validate HTTP Request Header Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II

[43] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.iac.misconfiguration_improper_cors_policy.base

Azure Terraform Misconfiguration: Improper MariaDB Network Access Control