1437 개 항목 찾음
취약점

Dangerous Function: xp_cmdshell

Abstract
xp_cmdshell 함수는 안전하게 사용할 수 없습니다. 사용하지 않는 것이 좋습니다.
Explanation
일부 함수는 사용 방법에 관계 없이 위험하게 동작합니다. xp_cmdshell 함수는 Windows 명령 셸을 시작하여 제공된 명령 문자열을 실행합니다. 명령은 기본 시스템이나 제공된 프록시 컨텍스트에서 실행됩니다. 그러나 미리 지정된 권한 작업 세트에 대해 사용자를 제한할 수 없으며 권한 승인은 사용자가 명령 문자열을 실행할 수 있도록 합니다.
References
[1] xp_cmdshell
[2] Standards Mapping - Common Weakness Enumeration CWE ID 242
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[15] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)
[16] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding
desc.semantic.sql.dangerous_function_xp_cmdshell

Dangerous Method

Abstract
메서드는 위험한 것으로 주석 추가되었습니다. 이 메서드의 모든 사용은 이슈로 플래그 지정되었습니다.
Explanation
FortifyDangerous 주석이 이 메서드에 적용되었습니다. 이는 위험하다는 것을 표시하는 데 사용되며 모든 사용은 안전을 위해 검토해야 합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 749
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
desc.structural.java.dangerous_method

Dangerous Type

Abstract
이 변수는 위험한 것으로 주석 처리된 유형의 변수입니다.
Explanation
FortifyDangerous 주석이 이 형식에 적용되었습니다. 이는 위험하다는 것을 표시하는 데 사용되며 모든 사용은 안전을 위해 검토해야 합니다.

References
[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.java.dangerous_class_variable

Database Bad Practices: Use of Restricted Accounts

Abstract
admin, administrator, guest, root 또는 sa 계정 중 하나를 사용하여 데이터베이스에 연결하려고 했습니다.
Explanation
Windows Azure SQL 데이터베이스는 SQL Server 인증만 지원합니다. Windows 인증(통합 보안)은 지원되지 않습니다. 사용자는 Windows Azure SQL 데이터베이스에 연결할 때마다 자격 증명(로그인 및 암호)을 제공해야 합니다. Microsoft Windows Azure SQL 데이터베이스 일반 지침 및 제한 사항에 따르면 admin, administrator, guest, root, sa와 같은 계정 이름은 사용할 수 없습니다.
References
[1] Security Guidelines and Limitations (Windows Azure SQL Database)
[2] Windows Azure SQL Database Concepts
[3] Transact-SQL Support (Windows Azure SQL Database)
[4] Development Considerations in Windows Azure SQL Database
[5] Managing Databases and Logins in Windows Azure SQL Database
[6] Configure and manage Azure AD authentication with Azure SQL
[7] How to: Connect to Windows Azure SQL Database Using sqlcmd
[8] Copying Databases in Windows Azure SQL Database
[9] Data Types (Windows Azure SQL Database)
[10] Deprecated Database Engine Features in SQL Server 2012
[11] EXECUTE AS (Transact-SQL)
[12] Security Statements
[13] System Stored Procedures (Windows Azure SQL Database)
[14] Guidelines and Limitations (Windows Azure SQL Database)
[15] General Guidelines and Limitations (Windows Azure SQL Database)
[16] Standards Mapping - Common Weakness Enumeration CWE ID 272
[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[18] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[19] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235
[20] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)
[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)
[24] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[25] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

Abstract
이 문은 결코 실행되지 않습니다.
Explanation
주변의 코드가 이 문의 실행을 불가능하게 합니다.

예제 1: 두 번째 if 문에 대한 조건을 만족할 수 없습니다. s에 null이 아닌 값을 지정할 수 있는 경로에서만, return 문이 있는 동안 s가 null이 아닌 값이어야 합니다.


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 561
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 2.1
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-1-1, Rule 0-1-2
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 0.0.1, Rule 0.0.2
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)
[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II
[14] Standards Mapping - Smart Contract Weakness Classification SWC-135
desc.internal.cpp.dead_code

Denial of Service

Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하여 리소스 소모 조건을 생성하도록 허용합니다.

예제 1: 다음 코드는 현재 작업 프로세스가 절전 모드로 있을 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 작업 프로세스를 무기한으로 지연시킬 수 있습니다.


...
CALL FUNCTION 'ENQUE_SLEEP'
  EXPORTING
    SECONDS = usrInput.
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.denial_of_service
Abstract
응용 프로그램은 클라이언트의 원격 IP 주소를 사용하여 RateLimitPartition을 생성합니다.
Explanation
클라이언트의 IP 주소를 기반으로 RateLimitPartitions를 생성하면 응용 프로그램이 IP 소스 주소 스푸핑을 사용하는 Denial of Service 공격에 취약해집니다.
예제 1: 다음 예에서 GetTokenBucketLimiter() 메서드는 RateLimitPartition을 생성할 때 원격 IP 주소(RemoteIpAddress)를 파티션 키로 사용합니다.

...
builder.Services.AddRateLimiter(limiterOptions => {
    limiterOptions.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, IPAddress>(context => {
        IPAddress? ip = context.Connection.RemoteIpAddress;
        return RateLimitPartition.GetTokenBucketLimiter(ip!, _ =>
            new TokenBucketRateLimiterOptions
            {
                TokenLimit = 7
            });
    });
});
...
References
[1] By Arvin Kahbazi, Maarten Balliauw, and Rick Anderson Rate limiting middleware in ASP.NET Core Microsoft
[2] P, Ferguson Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Cisco Systems
[3] Standards Mapping - Common Weakness Enumeration CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.asp_dotnet_core_rate_limitting_denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드는 현재 프로세스가 절전 모드로 있을 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 프로세스를 무기한으로 지연시킬 수 있습니다.


  unsigned int usrSleepTime = uatoi(usrInput);
  sleep(usrSleepTime);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.cpp.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드는 스레드가 절전 모드인 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 스레드를 무기한으로 지연시킬 수 있습니다. 적은 수의 요청으로 공격자가 응용 프로그램의 스레드 풀을 고갈시킬 수 있습니다.


Sleep(url.duration);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.cfml.denial_of_service
Abstract
공격자가 프로그램 충돌을 야기하거나 합법적인 사용자에게 프로그램이 제공되지 않도록 만들 수 있습니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 큰 문제는 적은 수의 요청으로 응용 프로그램 과부하를 일으키는 것을 가능하게 하는 버그에 있습니다. 이러한 버그를 통해 공격자는 요청에 사용될 시스템 리소스의 양 또는 사용 기간을 지정할 수 있습니다.

예제 1: 다음 코드를 통해 사용자는 Future 함수가 실행되는 기간을 지정할 수 있습니다. 함수 실행 기간을 길게 지정하면 공격자가 Future 함수 실행을 무기한 중지시킬 수 있습니다.


  final duration = Platform.environment['DURATION'];
  Future.delayed(Duration(seconds: int.parse(duration!)), () => ...);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dart.denial_of_service
Abstract
공격자가 프로그램 충돌을 야기하거나 합법적인 사용자에게 프로그램이 제공되지 않도록 만들 수 있습니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 큰 문제는 적은 수의 요청으로 응용 프로그램 과부하를 일으키는 것을 가능하게 하는 버그에 있습니다. 이러한 버그를 통해 공격자는 요청에 사용될 시스템 리소스의 양 또는 사용 기간을 지정할 수 있습니다.

예제 1: 공격자가 큰 값을 설정하는 경우 신뢰할 수 없는 데이터로 서비스 시간 초과를 설정하면 서비스가 응답하지 않을 수 있습니다.


func test(r *http.Request) {
  ...
  i, _ := strconv.Atoi(r.FormValue("TIME"))
  runtime.KeepAlive(i)
  ...
  }
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.golang.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드는 스레드가 절전 모드인 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 스레드를 무기한으로 지연시킬 수 있습니다. 적은 수의 요청으로 공격자가 응용 프로그램의 스레드 풀을 고갈시킬 수 있습니다.


  int usrSleepTime = Integer.parseInt(usrInput);
  Thread.sleep(usrSleepTime);
예제 2: 다음 코드는 zip 파일에서 문자열을 읽습니다. 이 코드에서는 readLine() 메서드를 사용하기 때문에 범위 지정 없는 입력 양을 읽습니다. 공격자가 OutOfMemoryException을 발생시키거나 대량의 메모리를 소모하도록 이 코드를 이용할 수 있으므로 프로그램이 가비지 수집(garbage collection)을 수행하는 데 더 많은 시간을 소모하거나 이후의 일부 작업 중에 메모리가 부족해집니다.


  InputStream zipInput = zipFile.getInputStream(zipEntry);
  Reader zipReader = new InputStreamReader(zipInput);
  BufferedReader br = new BufferedReader(zipReader);
  String line = br.readLine();
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[13] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드를 사용하면 사용할 file system의 크기를 사용자가 지정할 수 있습니다. 공격자가 큰 수를 지정하여 file system 리소스를 고갈시킬 수 있습니다.


  var fsync = requestFileSystemSync(0, userInput);
예제 2: 다음 코드는 파일에 작성합니다. 사용자 에이전트에 의해 닫힌 것으로 간주될 때까지 파일은 계속 작성 및 다시 작성될 수 있기 때문에 파일 내용 분석이 필요할 수도 있는 디스크 할당량, IO 대역폭 및 프로세스가 영향을 받습니다.


function oninit(fs) {
  fs.root.getFile('applog.txt', {create: false}, function(fileEntry) {
    fileEntry.createWriter(function(fileWriter) {
      fileWriter.seek(fileWriter.length);
      var bb = new BlobBuilder();
      bb.append('Appending to a file');
      fileWriter.write(bb.getBlob('text/plain'));
    }, errorHandler);
  }, errorHandler);
}

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.javascript.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드는 시스템에서 추가 처리가 지연되는 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 시스템을 무기한으로 지연시킬 수 있습니다.


procedure go_sleep (
usrSleepTime in NUMBER)
is
  dbms_lock.sleep(usrSleepTime);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.sql.denial_of_service
Abstract
공격자가 프로그램 충돌을 야기하거나 합법적인 사용자에게 프로그램이 제공되지 않도록 만들 수 있습니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 대부분의 플러딩(flooding) 공격은 네트워크 계층에서 무산될 수 있습니다. 더 큰 문제는 적은 수의 요청으로 응용 프로그램 과부하를 일으키는 것을 가능하게 하는 결함에 있습니다. 이러한 결함을 통해 공격자는 요청에 사용될 시스템 리소스의 양 또는 사용 기간을 지정할 수 있습니다.

예제 1: 다음 코드를 통해 사용자가 connect 기능에 대한 연결 시간 초과 기간을 지정할 수 있습니다. 함수 실행 기간을 길게 지정하면 공격자가 connect 함수 실행을 무기한 중지시킬 수 있습니다.


...
insecure_config_ssl_connection_timeout = {
  'user': username,
  'password': retrievedPassword,
  'host': databaseHost,
  'port': "3306",
  'connection_timeout': connection_timeout
}

mysql.connector.connect(**insecure_config_ssl_connection_timeout)
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.denial_of_service
Abstract
공격자가 프로그램을 중단할 수 있게 되거나 정식 사용자가 이용할 수 없게 됩니다.
Explanation
공격자가 응용 프로그램에 요청을 과도하게 보내어 정식 사용자에 대한 서비스를 거부할 수도 있으나 플러딩(flooding) 공격은 네트워크 계층에서 무산되는 경우도 있습니다. 더 심각한 문제는 적은 수의 요청으로 공격자가 응용 프로그램을 과부화하도록 허용하는 버그입니다. 이러한 버그는 해당 요청이 사용되는 시스템 자원의 수치 또는 이 수치를 사용하는 기간을 공격자가 지정하도록 허용합니다.

예제 1: 다음 코드는 스레드가 절전 모드인 시간을 사용자가 지정하도록 허용합니다. 공격자는 큰 수를 지정하여 스레드를 무기한으로 지연시킬 수 있습니다. 적은 수의 요청으로 공격자가 응용 프로그램의 스레드 풀을 고갈시킬 수 있습니다.


  Kernel.sleep(user_input)
예제 2: 다음 코드는 파일에서 문자열을 읽습니다. 이 코드에서는 제한을 지정하지 않고 readline() 메서드를 사용하기 때문에 범위 지정 없는 양의 입력을 읽습니다. 공격자는 이 코드를 활용하여 프로세스가 응답하지 않으면서 점점 더 많은 메모리를 소모하도록 할 수 있으며, 이러한 공격은 메모리를 완전히 소진할 때까지 계속될 수 있습니다.


  fd = File.new(myFile)
  line = fd.readline
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation
[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.denial_of_service

Denial of Service: Format String

Abstract
사용자 입력이 형식 매개 변수를 제어하는 것을 허용하면 공격자가 예외를 발생시키거나 정보를 누출할 수 있습니다.
Explanation
공격자는 예외가 발생하도록 형식 문자열 인수를 수정할 수 있습니다. 이 예외를 catch하지 않은 상태로 유지하면 응용 프로그램이 중단될 수 있습니다. 또한 다른 인수 내에서 민감한 정보를 사용하는 경우에는 공격자가 형식 문자열을 변경하여 이 정보를 노출시킬 수 있습니다.

예제 1: 다음 코드는 사용자가 Formatter.format()에 대한 형식 문자열 인수를 지정할 수 있도록 합니다.


  ...
  Formatter formatter = new Formatter(Locale.US);
  String format = "The customer: %s %s has the balance %4$." + userInput + "f";
  formatter.format(format, firstName, lastName, accountNo, balance);
  ...


사용자는 이 프로그램을 통해 잔고를 표시할 소수점의 수를 지정할 수 있습니다. 그러나 실제로 소수점의 수는 제한되지 않습니다. 사용자가 특정 항목을 지정할 수 있으면 java.util.MissingFormatArgumentException 등의 예외가 발생할 수 있으며, 이 예외는 try 블록 내에 있지 않으므로 응용 프로그램 실패로 이어질 수 있습니다.
그러나 이 예제 내에서 더욱 중요한 점은, 공격자가 사용자 입력 "2f %3$s %4$.2"를 지정할 수 있는 경우 형식 문자열은 "The customer: %s %s has the balance %4$.2f %3$s %4$.2"가 된다는 것입니다. 그러면 결과 문자열 내에 민감한 정보인 accountNo가 포함됩니다.
References
[1] IDS06-J. Exclude unsanitized user input from format strings CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - OWASP Top 10 2013 A1 Injection
[12] Standards Mapping - OWASP Top 10 2017 A1 Injection
[13] Standards Mapping - OWASP Top 10 2021 A03 Injection
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[47] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_format_string

Denial of Service: Parse Double

Abstract
프로그램은 double을 구문 분석하고 스레드가 응답하지 않도록 만들 수 있는 메서드를 호출합니다.
Explanation
java.lang.Double.parseDouble()[2^(-1022) - 2^(-1075) : 2^(-1022) - 2^(-1076)] 범위에 있는 임의의 수를 구문 분석할 때 스레드가 응답하지 않도록 만들 수 있는 관련된 메서드의 구현에 취약점이 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.

예제 1: 다음 코드는 취약한 메서드를 사용합니다.

Double d = Double.parseDouble(request.getParameter("d"));


매개 변수 d가 해당 범위의 값(예: "0.0222507385850720119e-00306")인 경우, 공격자가 요청을 보내 요청을 처리하는 동안 프로그램이 응답하지 않도록 만들 수 있습니다.

이 취약성은 Java 버전 6 업데이트 23 이하 버전에서 나타나며, Java 버전 6 업데이트 24 이상 버전에서는 나타나지 않습니다.
References
[1] Rick Regan Java Hangs When Converting 2.2250738585072012e-308
[2] Oracle Security Alert for CVE-2010-4476
[3] Standards Mapping - Common Weakness Enumeration CWE ID 400
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [20] CWE ID 400
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [23] CWE ID 400
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [23] CWE ID 400
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A1 Injection
[19] Standards Mapping - OWASP Top 10 2021 A03 Injection
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_parse_double

Denial of Service: Regular Expression

Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 공격자가 서로 겹치는 대체 하위 식을 포함하는 정규식을 악용할 수도 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.abap.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Microsoft Best Practices for Regular Expressions in the .NET Framework
[2] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[3] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[8] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dotnet.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dart.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 공격자가 서로 겹치는 대체 하위 식을 포함하는 정규식을 악용할 수도 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.golang.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.javascript.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 공격자는 이 결함을 사용하여 DoS(Denial of Service) 공격을 실행할 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.kotlin.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1: 다음 정규식이 식별된 취약한 코드에 사용될 경우, DoS(Denial of Service)가 발생할 수 있습니다.

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+


결함이 있는 정규식을 사용 중인 문제가 되는 코드의 예제:


NSString *regex = @"^(e+)+$";
NSPredicate *pred = [NSPRedicate predicateWithFormat:@"SELF MATCHES %@", regex];
if ([pred evaluateWithObject:mystring]) {
  //do something
}


대부분의 정규식 파서는 정규식 평가 시 NFA(Nondeterministic Finite Automaton) 구조를 만듭니다. NFA는 완벽한 일치를 찾을 때까지 가능한 모든 일치를 시도합니다. 이전 예를 고려해 볼 때, 공격자가 일치 문자열 “eeeeZ”를 제공할 경우, regex 파서가 일치를 식별하기 위해 살펴보아야 할 16가지 내부 평가가 있습니다. 공격자가 일치 문자열로 16개의 “e”(“eeeeeeeeeeeeeeeeZ”)를 제공할 경우, regex 파서는 65,536(2^16)개의 평가를 살펴보아야 합니다. 공격자는 연속 일치 문자의 수를 늘려 컴퓨팅 리소스를 쉽게 소모시킬 수 있습니다. 이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.objc.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.php.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.python.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과소비하게 될 수 있습니다.
Explanation
중첩되고 반복된 regex 그룹의 겹침 반복 및 대체를 평가할 때 스레드가 응답하지 않도록 할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

(e+)+
([a-zA-Z]+)*

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.ruby.denial_of_service_reqular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.
예제 1:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] IDS08-J. Sanitize untrusted data included in a regular expression CERT
[3] DOS-1: Beware of activities that may use disproportionate resources Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[45] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.scala.denial_of_service_regular_expression
Abstract
신뢰할 수 없는 데이터가 응용 프로그램에 전달되어 정규식으로 사용됩니다. 그러면 스레드가 CPU 리소스를 과도하게 사용할 수 있습니다.
Explanation
자체적으로 반복되는 그룹화 식을 포함하는 정규식을 평가할 때 스레드 중단을 야기할 수 있는 정규식 계산기 및 관련 메서드의 구현에 취약점이 있습니다. 또한 서로 겹치는 대체 하위 식을 포함하는 정규식이 악용될 수 있습니다. 이 결함은 DoS(Denial of Service) 공격을 실행하는 데 사용될 수 있습니다.

예제 1: 다음 정규식이 식별된 취약한 코드에 사용될 경우, DoS(Denial of Service)가 발생할 수 있습니다.

(e+)+
([a-zA-Z]+)*
(e|ee)+


결함이 있는 정규식을 사용 중인 문제가 되는 코드의 예제:


let regex : String = "^(e+)+$"
let pred : NSPredicate = NSPRedicate(format:"SELF MATCHES \(regex)")
if (pred.evaluateWithObject(mystring)) {
  //do something
}


대부분의 정규식 파서는 정규식 평가 시 NFA(Nondeterministic Finite Automaton) 구조를 만듭니다. NFA는 완벽한 일치를 찾을 때까지 가능한 모든 일치를 시도합니다. Example 1을 고려해 볼 때, 공격자가 일치 문자열 “eeeeZ”를 제공할 경우, regex 파서가 일치를 식별하기 위해 살펴보아야 할 16가지 내부 평가가 있습니다. 공격자가 일치 문자열로 16개의 “e”(“eeeeeeeeeeeeeeeeZ”)를 제공할 경우, regex 파서는 65,536(2^16)개의 평가를 살펴보아야 합니다. 공격자는 연속 일치 문자의 수를 늘려 컴퓨팅 리소스를 쉽게 소모시킬 수 있습니다. 이 취약점의 영향을 받지 않는 정규식 구현은 알려져 있지 않습니다. 모든 플랫폼 및 언어가 이 공격에 취약합니다.
References
[1] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses
[2] Standards Mapping - Common Weakness Enumeration CWE ID 185, CWE ID 730
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[42] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[43] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.swift.denial_of_service_regular_expression

Denial of Service: Routing

Abstract
공격자가 와일드카드 라우팅 패턴을 조작하면 광범위한 스펙트럼의 URL을 효과적으로 포함하거나 모든 URL에 대한 일치를 얻을 수 있으며, 이로 인해 잠재적으로 DoS(서비스 거부) 공격이 시작될 수 있습니다.
Explanation
취약점은 ASP.NET 응용 프로그램에서 routes.Ignore 메서드를 통한 와일드카드 라우팅 패턴 통합으로 인해 나타납니다. 이 방법을 사용하면 외부 입력이 라우팅 동작을 정의할 수 있습니다. 특히 {*allaspx} 같은 와일드카드를 사용하면 공격자에게 라우팅 작업을 조작할 수 있는 발판이 제공됩니다. 핵심 문제는 이러한 와일드카드 패턴을 제어하는 입력이 꼼꼼하게 검증되지 않거나 정화되지 않을 때 발생합니다.
악의적 작업자는 이러한 취약점을 활용하여 DoS 공격을 조율할 수 있습니다. 과도하게 허용되는 와일드카드 패턴을 통합하는 입력을 제공함으로써 공격자는 라우팅 시스템이 URL 요청의 중요한 범주를 무시하도록 효과적으로 유도할 수 있습니다. 최악의 경우 공격자는 모든 URL을 포함하는 입력을 제공하여 응용 프로그램에 액세스할 수 없게 되는 광범위한 서비스 거부를 초래할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 730
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-003320 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.dotnet.denial_of_service_routing

Denial of Service: Stack Exhaustion

Abstract
공격자는 특수하게 고안된 데이터를 입력하여 프로그램의 데이터 구조 구현을 수정하거나 정의할 수 있으며, 이로 인해 스택 고갈을 통해 서비스 거부가 발생할 수 있습니다.
Explanation
데이터 구조 구현을 수정하거나 정의하기 위해 프로그램에서 직접 사용하는 사용자 지정 데이터는 스택 고갈에 취약할 수 있습니다. 예를 들어, 사용자가 재귀적으로 처리되는 연결된 데이터 구조에 순환 링크를 만들 수 있는 경우 스택 소진을 초래하는 무한 재귀로 이어질 수 있습니다.

예제 1: 다음 코드 조각은 Apache Log4j2를 사용하여 이 취약점을 보여줍니다.

Marker child = MarkerManager.getMarker("child");
Marker parent = MarkerManager.getMarker("parent");

child.addParents(MarkerManager.getMarker(userInput));
parent.addParents(MarkerManager.getMarker(userInput2)); 
        
String toInfinity = child.toString();


이 작은 프로그램을 통해 사용자는 childparent의 상위 마커를 사용자 정의 마커로 설정할 수 있습니다. 사용자가 child의 상위를 parent로, parent의 상위를 child로 입력하면 마커 데이터 구조에 순환 링크가 생성됩니다. 순환 링크가 포함된 데이터 구조에서 재귀적 toString 메서드를 실행하면 프로그램에서 스택 오버플로 예외가 발생하고 프로그램이 중단됩니다. 이로 인해 스택 고갈을 통한 서비스 거부가 발생합니다.
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] Standards Mapping - Common Weakness Enumeration CWE ID 730, CWE ID 674
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.3 - Web Software Attack Mitigation
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[41] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.dataflow.java.denial_of_service_stack_exhaustion

Denial of Service: StringBuilder

Abstract
기본 백업 배열 크기로 초기화된 StringBuilder 또는 StringBuffer 인스턴스에 신뢰할 수 없는 데이터를 추가하면 JVM이 힙 메모리 공간을 과소비하게 될 수 있습니다.
Explanation
기본 백업 문자 배열 크기(16)로 초기화된 StringBuilder 또는 StringBuffer 인스턴스에 사용자 제어 데이터를 추가하면 응용 프로그램이 사용자의 데이터에 맞게 기본 배열의 크기를 조정하는 동안 대량의 힙 메모리를 소비하게 될 수 있습니다. 데이터가 StringBuilder 또는 StringBuffer 인스턴스에 추가되면 인스턴스는 백업 문자 배열에 데이터를 저장할 충분한 여유 공간이 있는지를 확인합니다. 데이터가 맞지 않는 경우 StringBuilder 또는 StringBuffer 인스턴스는 이전 배열 크기의 두 배 이상의 크기로 새 배열을 생성하지만 가비지가 수집되기 전까지 힙에 이전 배열이 남아 있습니다. 공격자는 이 구현 세부 정보를 사용하여 Denial of Service (DoS) 공격을 실행할 수 있습니다.

예제 1: 기본 생성자로 초기화된 StringBuilder 인스턴스에 사용자 제어 데이터가 추가됩니다.

    ...
    StringBuilder sb = new StringBuilder();
    final String lineSeparator = System.lineSeparator();
    String[] labels = request.getParameterValues("label");
    for (String label : labels) {
        sb.append(label).append(lineSeparator);
    }
    ...
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] MSC05-J. Do not exhaust heap space CERT
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.dataflow.java.denial_of_service_stringbuilder
Abstract
기본 백업 배열 크기로 초기화된 StringBuilder 또는 StringBuffer 인스턴스에 신뢰할 수 없는 데이터를 추가하면 JVM이 힙 메모리 공간을 과소비하게 될 수 있습니다.
Explanation
기본 백업 문자 배열 크기(16)로 초기화된 StringBuilder 또는 StringBuffer 인스턴스에 사용자 제어 데이터를 추가하면 응용 프로그램이 사용자의 데이터에 맞게 기본 배열의 크기를 조정하는 동안 대량의 힙 메모리를 소비하게 될 수 있습니다. 데이터가 StringBuilder 또는 StringBuffer 인스턴스에 추가되면 인스턴스는 백업 문자 배열에 데이터를 저장할 충분한 여유 공간이 있는지를 확인합니다. 데이터가 맞지 않는 경우 StringBuilder 또는 StringBuffer 인스턴스는 이전 배열 크기의 두 배 이상의 크기로 새 배열을 생성하지만 가비지가 수집되기 전까지 힙에 이전 배열이 남아 있습니다. 공격자는 이 구현 세부 정보를 사용하여 Denial of Service (DoS) 공격을 실행할 수 있습니다.

예제 1: 기본 생성자로 초기화된 StringBuilder 인스턴스에 사용자 제어 데이터가 추가됩니다.

    ...
    val sb = StringBuilder()
    val labels = request.getParameterValues("label")
    for (label in labels) {
        sb.appendln(label)
    }
    ...
References
[1] DOS-1: Beware of activities that may use disproportionate resources Oracle
[2] MSC05-J. Do not exhaust heap space CERT
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption
[7] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[8] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[21] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 754
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002530 CAT II
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
desc.dataflow.kotlin.denial_of_service_stringbuilder

Deserialization Bad Practice: Deny List

Abstract
알려진 불량 클래스(거부 목록)의 역직렬화 방지에 기반한 방어적 역직렬화의 경우 공격자가 이 보호를 우회하여 무효화할 수 있습니다.
Explanation
응용 프로그램은 응용 프로그램이 실제로 역직렬화되기 전에 역직렬화된 클래스를 확인할 수 있도록 해주는 미리 보기 역직렬화라고 하는 방어적 역직렬화를 구현합니다.



거부 목록은 새로운 가젯 체인, 래핑된 패키지 또는 자체 역직렬화 콜백 내에서 중첩된 역직렬화를 수행하는 클래스에 의해 쉽게 우회될 수 있습니다.
References
[1] Fortify Software Security Research The perils of Java deserialization
[2] Fortify Application Defender
[3] Oracle Java Serialization
[4] IBM Look-ahead Java deserialization
[5] OWASP Deserialization of untrusted data
[6] Standards Mapping - Common Weakness Enumeration CWE ID 502
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [23] CWE ID 502
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [21] CWE ID 502
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [13] CWE ID 502
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [12] CWE ID 502
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [15] CWE ID 502
[12] Standards Mapping - Common Weakness Enumeration Top 25 2024 [16] CWE ID 502
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[14] Standards Mapping - FIPS200 SI
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.5.1 Deserialization Prevention Requirements (L1 L2 L3), 5.5.3 Deserialization Prevention Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A6 Injection Flaws
[23] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[24] Standards Mapping - OWASP Top 10 2010 A1 Injection
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A8 Insecure Deserialization
[27] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.deserialization_bad_practice_deny_list

Directory Restriction

Abstract
chroot() 시스템 호출을 잘못 사용하면 공격자가 chroot jail을 빠져나갈 수 있습니다.
Explanation
chroot() 시스템 호출로 프로세스가 file system의 루트 디렉터리 개념을 변경할 수 있습니다. chroot()를 올바로 호출하면 프로세스가 새 루트 디렉터리에서 정의한 디렉터리 트리 외부의 파일에 접근할 수 없습니다. 그런 환경을 chroot jail이라고 하며 일반적으로 프로세스를 훔쳐 파일의 무단 접근에 사용할 가능성을 방지하기 위해 사용합니다. 예를 들어, 많은 FTP 서버를 chroot jail에서 실행하여 서버에서 새 취약점을 발견한 공격자가 시스템에서 암호 파일 또는 기타 민감한 파일을 다운로드하는 것을 방지합니다.

chroot()를 잘못 사용하면 공격자가 chroot jail을 빠져나갈 수 있습니다. chroot() 함수 호출은 프로세스의 현재 작업 디렉터리를 변경하지 않기 때문에 chroot()가 호출된 후에도 상대 경로가 chroot jail 외부의 file system 리소스를 참조할 수 있습니다.

예제 1: (가상의) FTP 서버의 다음 소스 코드를 보겠습니다.


chroot("/var/ftproot");
...
fgets(filename, sizeof(filename), network);
localfile = fopen(filename, "r");
while ((len = fread(buf, 1, sizeof(buf), localfile)) != EOF) {
  fwrite(buf, 1, sizeof(buf), network);
}
fclose(localfile);


이 코드는 네트워크에서 파일 이름을 읽고 로컬 컴퓨터에서 파일을 연 다음 네트워크로 파일 내용을 보냅니다. 이 코드는 FTP GET 명령을 구현하는 데 사용할 수 있습니다. FTP 서버는 /var/ftproot 외부의 파일에 대한 접근을 막기 위해 초기화 루틴에서 chroot()를 호출합니다. 그러나 서버가 chdir("/")를 호출하여 현재 작업 디렉터리를 변경할 수 없기 때문에 공격자가 "../../../../../etc/passwd" 파일을 요청하여 시스템 암호 파일의 복사본을 얻을 수 있습니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] A. Chuvakin Using Chroot Securely
[3] Standards Mapping - Common Weakness Enumeration CWE ID 243
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14
[6] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[8] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[9] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.cpp.directory_restriction

Django Bad Practices: Attributes in Deny List

Abstract
응용 프로그램은 거부 목록을 사용하여 폼을 통해 노출되는 속성을 제어합니다. 개발자는 새 속성을 추가할 때 거부 목록을 업데이트하는 것을 잊어버릴 수 있을 뿐 아니라 민감한 필드를 실수로 공격자에게 노출할 수도 있습니다.
Explanation
응용 프로그램은 exclude 거부 목록을 사용합니다. 이는 관리하기가 어려울 뿐 아니라 오류에도 취약합니다. 개발자가 폼이나 폼을 백업하는 Model에 새 필드를 추가하는 상황에서 exclude 필터를 업데이트하는 것을 잊어버리는 경우 공격자에게 민감한 필드를 노출할 수도 있습니다. 공격자는 악의적인 데이터를 제외되지 않는 필드로 전송하고 바인딩할 수 있습니다.

예제 1: 다음 폼은 일부 User 속성을 노출하지만 사용자 id에 대한 거부 목록을 검사합니다.


from myapp.models import User
...
class UserForm(ModelForm):
  class Meta:
    model = User
    exclude = ['id']
...
User 모델은 새 role 속성으로 업데이트되었지만 연결된 UserForm은 업데이트되지 않은 경우 폼에서 role 속성이 노출됩니다.
References
[1] Django Foundation Creating forms from models
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[4] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
desc.structural.python.django_bad_practices_attributes_in_deny_list

Django Bad Practices: Cookie Stored Sessions

Abstract
쿠키 기반 세션은 사용자가 로그아웃할 때 무효화되지 않습니다. 사용자의 쿠키를 검색하거나, 훔치거나, 가로채려는 공격자는 사용자가 로그아웃한 상태에서도 사용자를 가장할 수 있습니다.
Explanation
세션 데이터를 쿠키에 저장하면 다음과 같은 여러 가지 문제가 발생합니다.

1. 쿠키 기반 세션은 사용자가 로그아웃할 때 무효화되지 않습니다. 사용자의 쿠키를 검색하거나, 훔치거나, 가로채려는 공격자는 사용자가 로그아웃한 상태에서도 사용자를 가장할 수 있습니다.

2. 조작을 방지하고 데이터의 신뢰성을 보증하기 위해 세션 쿠키가 서명되지만 이를 통해 재전송 공격이 차단되지는 않습니다.

3. 세션 데이터가 암호화 서명 및 SECRET_KEY 설정을 위한 Django 도구를 통해 저장됩니다. SECRET_KEY가 누출되는 경우 공격자는 세션 데이터를 왜곡할 수 있을 뿐 아니라, 응용 프로그램에서 Pickle을 사용하여 세션 데이터를 쿠키로 직렬화하면 공격자가 역직렬화 시 임의의 코드를 실행하는 악의적으로 피클링된 데이터를 만들 수 있습니다.

4. 세션 데이터가 서명되지만 암호화되지는 않습니다. 따라서 공격자가 세션 데이터를 읽을 수 있지만 수정할 수는 없습니다.

5. 쿠키 크기 및 직렬화 프로세스로 인해 사이트 부하에 따른 성능 문제가 발생할 수 있습니다.
References
[1] Django Foundation Using cookie-based sessions
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-23 Session Authenticity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-23 Session Authenticity
[6] Standards Mapping - OWASP API 2023 API5 Broken Function Level Authorization
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002240 CAT I
[9] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002240 CAT I
[10] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002240 CAT I
[11] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002240 CAT I
[12] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002240 CAT I
[13] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002240 CAT I
[14] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002240 CAT I
[15] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002240 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002240 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002240 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002240 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002240 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002240 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002240 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002240 CAT I
[23] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_cookie_stored_sessions

Django Bad Practices: Overly Broad Host Header Verification

Abstract
Host 헤더를 확인하지 않으면 공격자가 Cross-Site Request Forgery, 캐시 감염 공격, 전자 메일의 링크 감염에 사용할 수 있는 허위 Host 값을 보낼 수 있습니다.
Explanation
Django 응용 프로그램 설정에서는 "*"를 ALLOWED_HOSTS 설정의 항목으로 지정합니다. 이 설정은 django.http.HttpRequest.get_host()에서 Host 헤더를 확인하는 데 사용됩니다. 값이 "*"이면 Host 헤더에서 모든 호스트가 허용됩니다. 공격자는 이를 캐시 감염 공격이나 전자 메일의 링크를 감염시키는 데 사용할 수 있습니다.

예제 1: 응용 프로그램에서 암호 재설정 기능을 제공하며, 이를 통해 사용자는 일정 유형의 고유 값(예: 전자 메일 주소)을 전송하여 자신을 식별할 수 있습니다. 그러면 새 암호를 설정할 수 있는 페이지의 링크와 함께 암호 재설정 전자 메일이 발송됩니다. 사용자에게 전송되는 링크는 하드코드된 URL을 방지하기 위해 암호 재설정 기능을 제공하는 사이트를 참조하도록 Host 값을 사용하여 생성할 수 있습니다. 예:


...
def reset_password(request):
  url = "http://%s/new_password/?token=%s" % (request.get_host(), generate_token())
  send_email(reset_link=url)
  redirect("home")
...


공격자는 자신이 제어하는 서버를 가리키는 허위 Host 헤더 값과 피해자의 전자 메일을 제출하여 피해자의 암호를 재설정하려고 할 수 있습니다. 이 경우 피해자는 암호 재설정 시스템으로 연결되는 링크가 포함된 전자 메일을 받게 되며, 해당 링크를 방문하기로 결정하면 공격자의 제어에 따라 피해자의 자격 증명을 수집하도록 허위 양식을 제공하는 사이트를 방문하게 됩니다.
References
[1] Django Foundation Host header validation
[2] Django Foundation ALLOWED_HOSTS
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective C.3.1 - Web Software Attack Mitigation
[5] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_overly_broad_host_header_verification

Django Bad Practices: Pickle Serialized Sessions

Abstract
Pickle을 통해 세션을 직렬화하면 공격자가 세션 데이터를 제어할 수 있는 경우 원격 코드 실행이 발생할 수 있습니다.
Explanation
쿠키 기반 세션을 사용하는 상황에서 SECRET_KEY가 누출되면 공격자는 세션 쿠키에 임의의 데이터를 저장했다가 나중에 서버에서 역직렬화하여 임의의 코드가 실행되도록 할 수 있습니다.

쿠키 기반 세션을 사용하는 경우에는 원격으로 접근할 수도 있는 시스템과 관련하여 암호 키의 보안이 항상 완벽한 상태로 유지되도록 각별히 유의해야 합니다.

예제 1: 다음 보기 메서드에서 SECRET_KEYsettings.py 구성 파일에 하드코드되어 있는 경우 공격자가 훔칠 수 있습니다.


...
def some_view_method(request):
  url = request.GET['url']
  if "http://" in url:
    content = urllib.urlopen(url)
    return HttpResponse(content)
  ...
Example 1의 메서드에서는 URL에 “http://”가 있는지 확인하는 방식으로 url 매개 변수가 유효한 URL임을 확인합니다. 악의적인 공격자는 다음과 같은 URL을 보내 SECRET_KEY가 포함될 수 있는 settings.py 구성 파일을 누출시킬 수 있습니다.


file://proc/self/cwd/app/settings.py#http://


참조: UNIX 시스템의 "/proc/self/cwd"는 프로세스 작업 디렉터리를 가리킵니다. 이를 통해 공격자는 정확한 위치를 몰라도 파일을 참조할 수 있습니다.
References
[1] Django Foundation Session serialization
[2] Balda Python web frameworks and pickles
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[5] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.django_bad_practices_pickle_serialized_sessions

DNS Spoofing

Abstract
DNS 설정에 대한 외부 제어를 허용하면 서비스를 손상시키거나 응용 프로그램이 비정상적으로 동작할 수 있습니다.
Explanation
DNS 캐시 감염이라고도 알려진 DNS 스푸핑은 공격자가 DNS 확인자의 캐시를 손상시켜 잘못된 IP 주소를 반환하도록 하는 공격 유형입니다. 공격자는 DNS 스푸핑을 사용하여 사용자가 알지 못하는 사이에 사용자를 악성 웹 사이트로 리디렉션할 수 있습니다. Node.js를 사용하는 서버 쪽 JavaScript의 경우, DNS 서버 설정을 잘못 처리하면 보안 취약점이 발생할 수 있습니다.

예제 1: Node.js 응용 프로그램을 통해 사용자가 사용자 지정 DNS 서버를 지정할 수 있는 시나리오를 생각해 보십시오. 이 입력이 제대로 검증되고 정화되지 않으면 공격자가 악성 DNS 서버를 제공하고 DNS 스푸핑 공격을 구현할 수 있습니다.


const dns = require('dns');

// User-controlled input for DNS servers
const customDnsServers = from_user_controlled_input;

// Set custom DNS servers
dns.setServers(customDnsServers);


이 예제에서는 사용자 제어 입력에서 파생된 값이 customDnsServers 변수에 할당됩니다. 그런 다음 이 입력은 dns.setServers(customDnsServers)를 사용하여 DNS 서버를 설정하는 데 사용됩니다. 공격자가 악성 DNS 서버 주소를 제공하는 경우 응용 프로그램이 공격자의 서버를 사용하여 도메인 이름을 확인하도록 지시할 수 있으며, 이로 인해 잘못된 IP 주소가 반환될 수 있습니다.
desc.dataflow.javascript.dns_spoofing

Dockerfile Misconfiguration: Default User Privilege

Abstract
Dockerfile에 USER가 지정되어 있지 않으므로 기본적으로 루트 사용자로 실행됩니다.
Explanation
DockerfileUSER가 지정되어 있지 않으면 Docker 컨테이너는 기본적으로 슈퍼 사용자 권한으로 실행됩니다. 이러한 슈퍼 사용자 권한은 컨테이너 안에서 실행 중인 코드로 전파되며 필요 이상으로 많은 권한을 제공합니다. 슈퍼 사용자 권한으로 Docker 컨테이너를 실행하면 공격 표면이 확장되어 공격자가 더 심각한 형태의 악용을 감행할 수 있습니다.
References
[1] Docker USER instruction
[2] Standards Mapping - Common Weakness Enumeration CWE ID 20
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000017
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[17] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000330 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000330 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.configuration.docker.dockerfile_misconfiguration_default_user_privilege