1464 개 항목 찾음
취약점

Immutable Classes: Non-final Fields

Abstract
클래스는 변경할 수 없는 것으로 주석 추가되지만 필드는 final이 아닙니다.
Explanation
이 클래스는 JCIP 주석 패키지의 Immutable 주석으로 주석 추가되었습니다. 비 final 필드는 값이 변경되도록 허용하여 클래스의 불변성을 침해합니다.

예제 1: Immutable 클래스에 대한 다음 코드는 실수로 필드를 final이 아닌 public으로 선언합니다.


@Immutable
public class ImmutableInteger {
public int value;

}
References
[1] B. Goetz Java Concurrency in Practice. Chapter 3: Sharing Objects Guidelines
[2] Package net.jcip.annotations Specification
[3] OBJ58-J. Limit the extensibility of classes and methods with invariants CERT
[4] MUTABLE-1: Prefer immutability for value types Oracle
[5] Standards Mapping - Common Weakness Enumeration CWE ID 471
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.java.immutable_non_final_fields

Immutable Classes: Public Mutable Fields

Abstract
클래스는 변경할 수 없는 것으로 주석 추가되지만 필드는 변경됩니다.
Explanation
이 클래스는 JCIP 주석 패키지의 Immutable 주석으로 주석 추가되었습니다. 변경 가능한 형식의 public 필드를 사용하면 클래스 외부 코드가 컨텐츠를 수정하고 클래스의 불변성을 침해할 수 있습니다.

예제 1: Immutable final 클래스에 대한 다음 코드는 실수로 Set publicfinal을 선언합니다.


@Immutable
public final class ThreeStooges {
public final Set stooges = new HashSet();
...
}
References
[1] B. Goetz Java Concurrency in Practice. Chapter 3: Sharing Objects Guidelines
[2] Package net.jcip.annotations Specification
[3] MUTABLE-1: Prefer immutability for value types Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 471
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
desc.structural.java.immutable_public_mutable_fields

Input Interception: Keyboard Extensions Allowed

Abstract
응용 프로그램에서 타사 키보드 확장의 설치를 허용합니다.
Explanation
키보드 확장이 사용자가 입력하는 모든 키 입력을 읽을 수 있습니다. 타사 키보드는 일반적으로 텍스트 입력을 간편하게 하거나 추가적인 이모지를 추가하는 데 사용되는데, 사용자가 입력하는 사항을 로그하거나 이를 원격 서버로 보내서 처리할 수도 있습니다. 악의적 키보드가 키로거 역할을 하도록 배포되어 사용자가 입력하는 모든 키를 읽어서 자격 증명이나 신용 카드 번호와 같은 민감한 데이터를 훔칠 수 있습니다.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 522, CWE ID 829
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-3
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.objc.input_interception_keyboard_extensions_allowed
Abstract
응용 프로그램에서 타사 키보드 확장의 설치를 허용합니다.
Explanation
키보드 확장이 사용자가 입력하는 모든 키 입력을 읽을 수 있습니다. 타사 키보드는 일반적으로 텍스트 입력을 간편하게 하거나 추가적인 이모지를 추가하는 데 사용되는데, 사용자가 입력하는 사항을 로그하거나 이를 원격 서버로 보내서 처리할 수도 있습니다. 악의적 키보드가 키로거 역할을 하도록 배포되어 사용자가 입력하는 모든 키를 읽어서 자격 증명이나 신용 카드 번호와 같은 민감한 데이터를 훔칠 수 있습니다.
References
[1] UIApplicationDelegate Apple
[2] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[3] Standards Mapping - Common Weakness Enumeration CWE ID 522, CWE ID 829
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-3
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.swift.input_interception_keyboard_extensions_allowed

Insecure Compiler Optimization

Abstract
메모리에서 민감한 데이터를 잘못 초기화하면 보안에 문제가 발생할 수 있습니다.
Explanation
컴파일러 최적화 오류는 다음 경우에 발생합니다.

1. 기밀 데이터를 메모리에 저장합니다.

2. 기밀 데이터를 덮어써서 메모리에서 초기화합니다.



3. 소스 코드는 최적화 컴파일러(optimizing compiler)를 사용하여 컴파일되는데 최적화 컴파일러는 이후에 메모리가 사용되지 않기 때문에 메모리 내용을 불필요한 저장 공간으로 보고 덮어쓰는 함수를 식별하여 제거합니다.
예제 1: 다음 코드는 사용자로부터 암호를 읽고 백 엔드 메인프레임에 연결한 다음 memset()을 사용하여 메모리에서 암호를 초기화합니다.


  void GetData(char *MFAddr) {
  char pwd[64];
  if (GetPasswordFromUser(pwd, sizeof(pwd))) {
   if (ConnectToMainframe(MFAddr, pwd)) {
		 // Interaction with mainframe
	 }
  }
  memset(pwd, 0, sizeof(pwd));
}


예제의 코드는 그대로 실행하면 올바로 동작하지만, Microsoft Visual C++(R) .NET 또는 GCC 3.x와 같은 최적화 컴파일러(optimizing compiler)를 사용하여 코드를 컴파일하면, 버퍼 pwd의 값을 덮어쓴 후 버퍼를 사용하지 않기 때문에 memset() 호출은 불필요한 저장 공간으로 간주되어 삭제됩니다[2]. 버퍼 pwd에는 민감한 값이 들어 있기 때문에 데이터가 메모리에 남아 있으면 응용 프로그램이 공격에 취약해질 수 있습니다. 공격자가 정확한 메모리 영역에 접근하게 되면 복구된 암호를 사용하여 시스템에 대한 제어를 얻을 수 있습니다.

공격자가 시스템 암호를 알아내지 못하도록 암호나 암호화 키와 같이 메모리에서 조작되는 민감한 데이터를 덮어쓰는 것은 일반적인 형태입니다. 하지만 최적화 컴파일러(optimizing compiler)를 사용하면 프로그램이 항상 소스 코드가 의도한 대로 동작하지는 않습니다. 이 예제에서는 호출이 일어나는 분명한 보안상의 이유가 있음에도 불구하고 데이터가 쓰여진 메모리가 이후에 사용되지 않는다는 이유로 컴파일러가 memset() 호출을 dead code로 해석합니다. 이 때, 문제는 많은 컴파일러 및 많은 프로그래밍 언어가 효율 개선을 이유로 이러한 보안 문제 또는 다른 보안 문제를 고려하지 않는다는 점입니다.

일반적으로 공격자는 코어 덤프 또는 런타임 메커니즘을 이용하여 특정 응용 프로그램이 사용하는 메모리에 액세스하여 비밀 정보를 알아내는 방식으로 이런 종류의 취약점을 익스플로이트합니다. 공격자가 비밀 정보에 액세스하게 되면 시스템을 더 익스플로이트하는 것이 비교적 간단해지므로 응용 프로그램이 사용하는 리소스를 손상시킬 수도 있습니다.
References
[1] M. Howard Some Bad News and Some Good News Microsoft
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] Standards Mapping - Common Weakness Enumeration CWE ID 14
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources
[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002380 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002380 CAT II
desc.semantic.cpp.insecure_compiler_optimization

Insecure Compiler Optimization: Pointer Arithmetic

Abstract
배열 범위 검사가 잘못 최적화될 수 있습니다.
Explanation
배열 범위 검사가 불법 포인터를 계산한 후 포인터가 범위를 벗어났는지 확인하는 것과 관련된 경우, 일부 컴파일러는 프로그래머가 불법 포인터를 의도적으로 생성하지 않았다고 가정하며 검사를 최적화합니다.

예제 1:

  char *buf;
  int len;
  ...
  len = 1<<30;

  if (buf+len < buf)  //wrap check
    [handle overflow]


작업 buf + len2^32보다 커서 결과 값이 buf보다 작습니다. 그러나 포인터에 대한 산술 overflow는 정의되지 않은 동작이므로 일부 컴파일러는 buf + len >= buf를 가정하여 랩 확인을 최적화합니다. 이와 같이 최적화하면 이 블록 뒤에 오는 코드가 buffer overflow에 취약해질 수 있습니다.
References
[1] Vulnerability Note VU#162289 CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 733
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 18.1
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 8.7.1
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1), SI-16 Memory Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources, SI-16 Memory Protection
[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[11] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[12] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[13] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3590.1 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3590.1 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3590.1 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3590.1 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3590.1 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3590.1 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3590.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002590 CAT I
desc.structural.cpp.insecure_compiler_optimization_pointer_arithmetic

Insecure Deployment: Non Production Ready

Abstract
응용 프로그램에 포함된 구성 요소가 운영 환경에 배포하도록 설계되어 있지 않습니다.
Explanation
Django 응용 프로그램에서는 운영 환경에 배포하도록 설계되어 있지 않은 static files 응용 프로그램의 serve 보기를 노출합니다. Django 설명서에 따르면 다음과 같습니다.

"static files 도구는 대부분 정적 파일을 운영 환경에 성공적으로 배포하는 데 도움이 되도록 설계되어 있습니다. 일반적으로, 로컬로 개발하는 경우 상당한 처리 부담으로 작용하는 별도의 전용 정적 파일 서버가 여기에 해당합니다. 따라서 staticfiles 앱은 개발 시 파일을 로컬로 제공하는 데 사용할 수 있는 단순하면서도 정리되지 않은 도우미 보기가 함께 제공됩니다.

이 보기는 DEBUGTrue로 설정되어 있는 경우에만 작동합니다.

때문에 이 보기는 대체로 비효율적이며 안전하지 않을 수도 있습니다. 이는 로컬 개발에만 사용하기 위한 것이며 운영 환경에 사용해서는 안 됩니다."
References
[1] Django Foundation The staticfiles app
[2] Django Foundation Managing static files
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality
[7] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001500 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001500 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001500 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001500 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001500 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001500 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001500 CAT II
desc.structural.python.insecure_deployment_non_production_ready_staticfiles

Insecure Deployment: Predictable Resource Name

Abstract
민감한 리소스에 예측 가능한 이름을 사용하면 공격자가 응용 프로그램을 검색하는 데 도움을 줄 수 있습니다.
Explanation
민감한 정보가 포함되어 있거나 권한이 지정된 기능을 제공하는 응용 프로그램 리소스는 일반적으로 악용될 위험이 높습니다. 공격자는 예비 조사 단계에서 이러한 파일과 디렉터리가 있는지 찾아보게 됩니다. 이러한 리소스에 예측 가능한 명명 체계를 사용하면 공격자가 이를 보다 쉽게 찾을 수 있습니다. authentication, 관리 작업 또는 개인 정보 취급 같은 민감한 기능을 다루는 모든 응용 프로그램 리소스는 검색되지 않도록 충분히 보호해야 합니다.

예제 1: 다음 예제에서는 admin 응용 프로그램이 예측 가능한 URL로 배포되어 있습니다.


from django.conf.urls import patterns
from django.contrib import admin

admin.autodiscover()

urlpatterns = patterns('',
    ...
    url(r'^admin/', include(admin.site.urls)),
    ...


데이터 저장을 담당하는 리소스는 응용 프로그램 기능을 구현하는 리소스와 구분해 놓아야 합니다. 프로그래머는 임시 리소스나 백업 리소스를 생성할 때 반드시 주의를 기울여야 합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 340
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[5] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[6] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[8] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[24] Standards Mapping - Web Application Security Consortium Version 2.00 Predictable Resource Location (WASC-34)
desc.structural.python.insecure_deployment_predictable_resource_name

Insecure IPC: Missing Content Validation

Abstract
확장 보기 컨트롤러가 호스트 애플리케이션에서 전송된 데이터의 확인에 실패합니다.
Explanation
확장이 호스트 응용 프로그램에서 전송하는 데이터를 자체 보기 컨트롤러에서 수신하는데, 수신된 신뢰할 수 없는 데이터를 사용 전에 확인하기 위한 SLComposeServiceViewController isContentValid의 구현에 실패합니다.

예제 1: 다음의 확장 보기 컨트롤러는 호스트 응용 프로그램에서 데이터를 수신하지만 이를 확인하기 위한 콜백 메서드의 구현에 실패합니다.


    #import <MobileCoreServices/MobileCoreServices.h>

    @interface ShareViewController : SLComposeServiceViewController
        ...
    @end

    @interface ShareViewController ()
        ...
    @end

    @implementation ShareViewController

    - (void)didSelectPost {
        NSExtensionItem *item = self.extensionContext.inputItems.firstObject;
        NSItemProvider *itemProvider = item.attachments.firstObject;
        ...
        // Use the received items
        ...
        [self.extensionContext completeRequestReturningItems:@[] completionHandler:nil];
    }

    ...

    @end
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] SLComposeServiceViewController Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_content_validation
Abstract
확장 보기 컨트롤러가 호스트 애플리케이션에서 전송된 데이터의 확인에 실패합니다.
Explanation
확장이 호스트 응용 프로그램에서 전송하는 데이터를 자체 보기 컨트롤러에서 수신하는데, 수신된 신뢰할 수 없는 데이터를 사용 전에 확인하기 위한 SLComposeServiceViewController isContentValid의 구현에 실패합니다.

예제 1: 다음의 확장 보기 컨트롤러는 호스트 응용 프로그램에서 데이터를 수신하지만 이를 검증하기 위한 SLComposeServiceViewController isContentValid 콜백 메서드를 구현하지 못합니다.


    import MobileCoreServices

    class ShareViewController: SLComposeServiceViewController {
        
        ... 

        override func didSelectPost() {
            let extensionItem = extensionContext?.inputItems.first as! NSExtensionItem
            let itemProvider = extensionItem.attachments?.first as! NSItemProvider
            ...
            // Use the received items
            ...
            self.extensionContext?.completeRequestReturningItems([], completionHandler:nil)
        }

        ...
    }
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] SLComposeServiceViewController Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_content_validation

Insecure IPC: Missing Sender Verification

Abstract
응용 프로그램이 URL 기반 IPC(Inter-Procedure Communication) 호출의 발신자 확인에 실패합니다.
Explanation
타사 응용 프로그램 또는 webview가 귀하의 응용 프로그램과 통신하기 위해 URL을 사용할 때 수신 응용 프로그램은 발신자가 통신 가능한 응용 프로그램의 허용 목록과 일치하는지 확인해야 합니다. 수신 응용 프로그램은 UIApplicationDelegate application:openURL:options: 또는 UIApplicationDelegate application:openURL:sourceApplication:annotation: 대리자 메서드를 사용하여 호출 URL의 출처를 확인할 수 있습니다.

예제 1: 다음의 UIApplicationDelegate application:openURL:options: 대리자 메서드 구현은 IPC 호출의 발신자 확인에 실패하고 호출 URL을 처리합니다.


    - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<NSString *,id> *)options {
        NSString *theQuery = [[url query] stringByRemovingPercentEncoding:NSUTF8StringEncoding];
        NSArray *chunks = [theQuery componentsSeparatedByString:@"&"];
        for (NSString* chunk in chunks) {
            NSArray *keyval = [chunk componentsSeparatedByString:@"="]; NSString *key = [keyval objectAtIndex:0];
            NSString *value = [keyval objectAtIndex:1];
            // Do something with your key and value
        }
        return YES;
    }
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_sender_verification
Abstract
응용 프로그램이 URL 기반 IPC(Inter-Procedure Communication) 호출의 발신자 확인에 실패합니다.
Explanation
타사 응용 프로그램 또는 wewbview가 귀하의 응용 프로그램과 통신하기 위해 URL을 사용할 때 수신 응용 프로그램은 발신자가 통신 가능한 응용 프로그램의 허용 목록과 일치하는지 확인해야 합니다. 수신 응용 프로그램은 UIApplicationDelegate application:openURL:options: 또는 UIApplicationDelegate application:openURL:sourceApplication:annotation: 대리자 메서드를 사용하여 호출 URL의 출처를 확인할 수 있습니다.

예제 1: 다음의 UIApplicationDelegate application:openURL:options: 대리자 메서드 구현은 IPC 호출의 발신자 확인에 실패하고 호출 URL을 처리합니다.


    func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
        return processCall(url)
    }
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501, CWE ID 939
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[22] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_sender_verification

Insecure IPC: Missing URL Validation

Abstract
응용 프로그램이 URL 기반 IPC(Inter-Procedure Communication) 호출에서 URL 호출의 확인에 실패합니다.
Explanation
타사 응용 프로그램 또는 webview가 귀하의 응용 프로그램과 통신하기 위해 URL을 사용할 때 수신 응용 프로그램은 추가 작업을 계속하기 전에 호출 URL을 확인해야 합니다. 수신 응용 프로그램은 UIApplicationDelegate application:didFinishLaunchingWithOptions: 또는 UIApplicationDelegate application:willFinishLaunchingWithOptions: 대리자 메서드를 사용하여 호출 URL을 열고자 한다는 것을 확인할 수 있습니다.

예제 1: 다음의 UIApplicationDelegate application:didFinishLaunchingWithOptions: 대리자 메서드 구현은 호출 URL의 확인에 실패하고 항상 신뢰할 수 없는 URL을 처리합니다.


    - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NS Dictionary *)launchOptions {
        return YES;
    }
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 501
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[8] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.objc.insecure_ipc_missing_url_validation
Abstract
응용 프로그램이 URL 기반 IPC(Inter-Procedure Communication) 호출에서 URL 호출의 확인에 실패합니다.
Explanation
타사 응용 프로그램 또는 webview가 귀하의 응용 프로그램과 통신하기 위해 URL을 사용할 때 수신 응용 프로그램은 추가 작업을 계속하기 전에 호출 URL을 확인해야 합니다. 수신 응용 프로그램은 UIApplicationDelegate application:didFinishLaunchingWithOptions: 또는 UIApplicationDelegate application:willFinishLaunchingWithOptions: 대리자 메서드를 사용하여 호출 URL을 열고자 한다는 것을 확인할 수 있습니다.

예제 1: 다음의 UIApplicationDelegate application:didFinishLaunchingWithOptions: 대리자 메서드 구현은 호출 URL의 확인에 실패하고 항상 신뢰할 수 없는 URL을 처리합니다.


    func application(application: UIApplication, didFinishLaunchingWithOptions launchOptions: [NSObject: AnyObject]?) -> Bool {
        return true
    }
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] UIApplicationDelegate Apple
[3] Standards Mapping - Common Weakness Enumeration CWE ID 501
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001084, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-3 Security Function Isolation, SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.swift.insecure_ipc_missing_url_validation

Insecure IPC: URL Scheme Hijacking

Abstract
응용 프로그램이 IPC(Inter-Procedure Communication)에 대해 사용자 지정 URL 스키마를 사용하여 "URL 스키마 하이재킹"의 위험이 있습니다.
Explanation
응용 프로그램이 타사 응용 프로그램과의 통신을 위해 이러한 응용 프로그램에 사용자 지정 URL 스키마를 등록할 수 있습니다. 이는 간단한 IPC 채널이지만 응용 프로그램이 "URL 스키마 하이재킹"에 노출될 수 있습니다. 모든 응용 프로그램이 Apple에서 예약하지 않은 URL 스키마를 등록할 수 있기 때문에 악성 응용 프로그램이 귀하의 응용 프로그램에서 사용되는 것과 동일한 스키마를 등록하여 원치 않는 동작을 유발할 수 있습니다. Apple의 설명서에는 "둘 이상의 타사 응용 프로그램이 동일 URL 스키마를 처리하도록 등록되는 경우 해당 스키마를 받을 응용 프로그램을 결정하기 위한 프로세스가 현재는 없습니다."라고 나와 있습니다. 악성 응용 프로그램이 귀하의 응용 프로그램보다 먼저 설치된 경우, 악성 응용 프로그램이 스키마를 등록하여 귀하의 응용 프로그램의 성공적인 설치를 방해할 수 있습니다. 또한 악성 응용 프로그램이 귀하의 응용 프로그램 뒤에 설치되더라도 스키마 등록에 성공하면, 귀하의 응용 프로그램에서 등록을 하이재킹할 수 있습니다.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 939
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.objc.insecure_ipc_url_scheme_hijacking
Abstract
응용 프로그램이 IPC(Inter-Procedure Communication)에 대해 사용자 지정 URL 스키마를 사용하여 "URL 스키마 하이재킹"의 위험이 있습니다.
Explanation
응용 프로그램이 타사 응용 프로그램과의 통신을 위해 이러한 응용 프로그램에 사용자 지정 URL 스키마를 등록할 수 있습니다. 이는 간단한 IPC 채널이지만 응용 프로그램이 "URL 스키마 하이재킹"에 노출될 수 있습니다. 모든 응용 프로그램이 Apple에서 예약하지 않은 URL 스키마를 등록할 수 있기 때문에 악성 응용 프로그램이 귀하의 응용 프로그램에서 사용되는 것과 동일한 스키마를 등록하여 원치 않는 동작을 유발할 수 있습니다. Apple의 설명서에는 "둘 이상의 타사 응용 프로그램이 동일 URL 스키마를 처리하도록 등록되는 경우 해당 스키마를 받을 응용 프로그램을 결정하기 위한 프로세스가 현재는 없습니다."라고 나와 있습니다. 악성 응용 프로그램이 귀하의 응용 프로그램보다 먼저 설치된 경우, 악성 응용 프로그램이 스키마를 등록하여 귀하의 응용 프로그램의 성공적인 설치를 방해할 수 있습니다. 또한 악성 응용 프로그램이 귀하의 응용 프로그램 뒤에 설치되더라도 스키마 등록에 성공하면, 귀하의 응용 프로그램에서 등록을 하이재킹할 수 있습니다.
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Standards Mapping - Common Weakness Enumeration CWE ID 939
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[11] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
desc.structural.swift.insecure_ipc_url_scheme_hijacking

Insecure Randomness

Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


FORM GenerateReceiptURL CHANGING baseUrl TYPE string.
    DATA: r TYPE REF TO cl_abap_random,
		  var1 TYPE i,
		  var2 TYPE i,
		  var3 TYPE n.


	GET TIME.
	var1 = sy-uzeit.
	r = cl_abap_random=>create( seed = var1 ).
	r->int31( RECEIVING value = var2 ).
	var3 = var2.
    CONCATENATE baseUrl var3 ".html" INTO baseUrl.
ENDFORM.


이 코드는 CL_ABAP_RANDOM->INT31 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. CL_ABAP_RANDOM은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 338
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.abap.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


string GenerateReceiptURL(string baseUrl) {
    Random Gen = new Random();
    return (baseUrl + Gen.Next().toString() + ".html");
}


이 코드는 Random.Next() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Random.Next()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] RandomNumberGenerator Class Microsoft
[2] System.Security.Cryptography Namespace Microsoft
[3] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[4] Standards Mapping - Common Weakness Enumeration CWE ID 338
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.dotnet.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


char* CreateReceiptURL() {
    int num;
    time_t t1;
    char *URL = (char*) malloc(MAX_URL);
    if (URL) {
        (void) time(&t1);
        srand48((long) t1);     /* use time to set seed */
        sprintf(URL, "%s%d%s", "http://test.com/", lrand48(), ".html");
    }
    return URL;
}


이 코드는 lrand48() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. lrand48()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 디자인에도 결함이 있지만 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용하는 것이 보다 안전했을 것입니다.
References
[1] B. Schneier Yarrow: A secure pseudorandom number generator
[2] CryptLib
[3] Crypto++
[4] BeeCrypt
[5] OpenSSL
[6] CryptoAPI: CryptGenRandom() Microsoft
[7] RtlGenRandom() Microsoft
[8] .NET System.Security.Cryptography: Random Number Generation Microsoft
[9] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[10] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[11] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[12] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[13] Standards Mapping - Common Weakness Enumeration CWE ID 338
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[15] Standards Mapping - FIPS200 MP
[16] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[21] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[22] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[24] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[25] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[26] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[27] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[40] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.cpp.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.


컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


<cfoutput>
Receipt: #baseUrl##Rand()#.cfm
</cfoutput>


이 코드는 Rand() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Rand()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] ColdFusion Java CFX Reference Adobe
[2] Java Cryptography Architecture Oracle
[3] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[4] Standards Mapping - Common Weakness Enumeration CWE ID 338
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.cfml.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG 입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 RSA 키를 만듭니다.


import "math/rand"
...
var mathRand = rand.New(rand.NewSource(1))
rsa.GenerateKey(mathRand, 2048)


이 코드는 rand.New() 함수를 사용하여 RSA 키의 무작위성을 생성합니다. rand.New()는 통계적 PRNG이므로 생성되는 값을 공격자가 쉽게 추측할 수 있습니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 338
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.golang.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


String GenerateReceiptURL(String baseUrl) {
    Random ranGen = new Random();
    ranGen.setSeed((new Date()).getTime());
    return (baseUrl + ranGen.nextInt(400000000) + ".html");
}


이 코드는 Random.nextInt() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Random.nextInt()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 338
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.java.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


function genReceiptURL (baseURL){
  var randNum = Math.random();
  var receiptURL = baseURL + randNum + ".html";
  return receiptURL;
}


이 코드는 Math.random() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Math.random()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Crypto | Node.js documentation The OpenJS Foundation and Node.js contributors
[3] Standards Mapping - Common Weakness Enumeration CWE ID 338
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.structural.javascript.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG 입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


fun GenerateReceiptURL(baseUrl: String): String {
    val ranGen = Random(Date().getTime())
    return baseUrl + ranGen.nextInt(400000000).toString() + ".html"
}


이 코드는 Random.nextInt() 함수를 사용하여 생성하는 영수증 페이지에 대해 "고유한" 식별자를 생성합니다. Random.nextInt()는 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추측할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 식별자를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 338
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.kotlin.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


  function genReceiptURL($baseURL) {
    $randNum = rand();
    $receiptURL = $baseURL . $randNum . ".html";
    return $receiptURL;
  }


이 코드는 rand() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. rand()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 338
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.php.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


CREATE or REPLACE FUNCTION CREATE_RECEIPT_URL
  RETURN VARCHAR2
AS
  rnum VARCHAR2(48);
  time TIMESTAMP;
  url VARCHAR2(MAX_URL)
BEGIN
  time := SYSTIMESTAMP;
  DBMS_RANDOM.SEED(time);
  rnum := DBMS_RANDOM.STRING('x', 48);
  url := 'http://test.com/' || rnum || '.html';
  RETURN url;
END


이 코드는 DBMS_RANDOM.SEED() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. DBMS_RANDOM.SEED()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 디자인에도 결함이 있지만 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용하는 것이 보다 안전했을 것입니다.
References
[1] Oracle Database Security Guide
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Standards Mapping - Common Weakness Enumeration CWE ID 338
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.sql.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


    def genReceiptURL(self,baseURL):
        randNum = random.random()
        receiptURL = baseURL + randNum + ".html"
        return receiptURL


이 코드는 rand() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. rand()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 338
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.python.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


def generateReceiptURL(baseUrl) {
  randNum = rand(400000000)
  return ("#{baseUrl}#{randNum}.html");
}


이 코드는 Kernel.rand() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Kernel.rand()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 338
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[3] Standards Mapping - FIPS200 MP
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[9] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[10] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.structural.ruby.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


def GenerateReceiptURL(baseUrl : String) : String {
    val ranGen = new scala.util.Random()
    ranGen.setSeed((new Date()).getTime())
    return (baseUrl + ranGen.nextInt(400000000) + ".html")
}


이 코드는 Random.nextInt() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Random.nextInt()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 338
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.scala.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG 입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 암호 재설정 토큰으로 사용되는 무작위 값을 생성합니다.


    sqlite3_randomness(10, &reset_token)
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 338
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[13] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[14] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.swift.insecure_randomness
Abstract
표준 의사 난수 발생기는 암호화 공격을 차단하지 못합니다.
Explanation
Insecure Randomness 오류는 보안이 중요한 상황에서 예측 가능한 값을 생성할 수 있는 함수를 난수 발생원으로 사용할 때 발생합니다.

컴퓨터는 결정론을 사용하는 시스템이기 때문에 진정한 무작위성을 구현할 수 없습니다. PRNG(의사 난수 발생기)는 시드로부터 이후의 값을 계산하는 알고리즘을 사용하여 무작위성에 최대한 접근합니다.

PRNG는 두 가지 종류가 있는데 통계적 PRNG 및 암호화 PRNG입니다. 통계적 PRNG는 유용한 통계적 속성을 제공하지만 출력을 쉽게 예측할 수 있고 재생하기 쉬운 숫자 스트림을 만들기 때문에 보안이 예측할 수 없는 값을 생성하는 방식에 의존하는 경우 사용하기 부적합합니다. 암호화 PRNG는 예측하기 어려운 출력을 생성하여 이 문제를 해결합니다. 암호화 값이 안전하려면 공격자가 생성된 무작위 값과 실제적인 무작위 값을 구분하는 것이 불가능하거나 아주 어려워야 합니다. 일반적으로 PRNG 알고리즘이 안전한 암호화로 알려져 있지 않은 경우에는 통계적 PRNG를 가리키는 것일 수 있는데, 이 PRNG는 보안이 중요한 상황일 때 사용해서는 안 됩니다. 이 경우 통계적 PRNG를 사용하면 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 등의 심각한 취약점을 유발할 수 있습니다.

예제 1: 다음 코드는 통계적 PRNG를 사용하여 구입 후 일정 기간 동안 활성 상태를 유지하는 영수증의 URL을 작성합니다.


...
Function genReceiptURL(baseURL)
dim randNum
randNum = Rnd()
genReceiptURL = baseURL & randNum & ".html"
End Function
...


이 코드는 Rnd() 함수를 사용하여 생성되는 영수증 페이지에 대한 "고유한" ID를 생성합니다. Rnd()은 통계적 PRNG이므로 생성되는 문자열을 공격자가 쉽게 추축할 수 있습니다. 영수증 시스템의 기본 설계에도 오류가 있지만 암호화 PRNG와 같이 예측 가능한 영수증 ID를 생성하지 않는 난수 발생기를 사용했다면 훨씬 안전했을 것입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] CryptoAPI: CryptGenRandom() Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 338
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.1 Random Values (L2 L3), 6.3.2 Random Values (L2 L3), 6.3.3 Random Values (L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.vb.insecure_randomness

Insecure Randomness: Hardcoded Seed

Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: CL_ABAP_RANDOM 클래스 또는 해당 변형)에서 특정 상수 값을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 GET_NEXT, INT 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 발췌한 다음 내용에서는 random_gen2 객체에서 생성되는 값을 random_gen1 객체에서 예측할 수 있습니다.


		DATA: random_gen1 TYPE REF TO cl_abap_random,
			  random_gen2 TYPE REF TO cl_abap_random,
			  var1 TYPE i,
			  var2 TYPE i.

		random_gen1 = cl_abap_random=>create( seed = '1234' ).

		DO 10 TIMES.
			CALL METHOD random_gen1->int
				RECEIVING
			value  = var1.

			WRITE:/ var1.
		ENDDO.

		random_gen2 = cl_abap_random=>create( seed = '1234' ).

		DO 10 TIMES.
			CALL METHOD random_gen2->int
				RECEIVING
			value  = var2.

			WRITE:/ var2.
		ENDDO.


이 예제에서는 의사 난수 발생기 random_gen1random_gen2에서는 동일한 시드 값이 생성되었으므로 var1 = var2입니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 336
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[9] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[10] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.structural.abap.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: rand())에서 특정 값(srand(unsigned int) 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 rand() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 첫 번째 2개 블록이 동일한 시드로 시작하므로 의사 난수 발생기(PRNG)가 생성하는 값을 예측할 수 있습니다.


        srand(2223333);
        float randomNum = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum);
        randomNum = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum);

        srand(2223333);
        float randomNum2 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum2);
        randomNum2 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum2);

        srand(1231234);
        float randomNum3 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum3);
        randomNum3 = (rand() % 100);
        syslog(LOG_INFO, "Random: %1.2f", randomNum3);


이 예제에서는 randomNum1randomNum2의 결과에서 동일하게 시드가 생성되었기 때문에 의사 난수 발생기 srand(2223333)의 시드를 생성하는 호출이 끝난 후 rand()를 호출할 때마다 동일한 호출 순서로 동일한 출력 결과가 생성됩니다. 예를 들어 출력은 다음과 같을 수 있습니다.


Random: 32.00
Random: 73.00
Random: 32.00
Random: 73.00
Random: 15.00
Random: 75.00


이 결과는 난수와는 거리가 멉니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 336
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.cpp.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(PRNG)에서 특정 값(math.Rand.New(Source) 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 math.Rand.Int() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1: 첫 번째 2개 블록이 동일한 시드로 시작하므로 의사 난수 발생기(PRNG)가 생성하는 값을 예측할 수 있습니다.


  r := rand.New(rand.NewSource(12345))
  i := r.nextInt()
  
  r.Seed(12345)
  j := r.nextInt()


이 예에서 PRNG는 동일하게 시드가 생성되었기 때문에 의사 난수 발생기(randomGen.Seed(12345))의 시드를 생성한 호출 이후의 모든 nextInt() 호출은 동일한 출력과 동일한 순서로 나타납니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] MSC02-J. Generate strong random numbers CERT
[3] MSC03-J. Never hard code sensitive information CERT
[4] Standards Mapping - Common Weakness Enumeration CWE ID 336
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.golang.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: Random)에서 특정 값(Random.setSeed() 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 Random.nextInt() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1:Random 개체 randomGen2를 통해 생성되는 값을 Random 개체 randomGen1에서 예측할 수 있습니다.


        Random randomGen1 = new Random();
        randomGen1.setSeed(12345);
        int randomInt1 = randomGen1.nextInt();
        byte[] bytes1 = new byte[4];
        randomGen1.nextBytes(bytes1);

        Random randomGen2 = new Random();
        randomGen2.setSeed(12345);
        int randomInt2 = randomGen2.nextInt();
        byte[] bytes2 = new byte[4];
        randomGen2.nextBytes(bytes2);


이 예제에서는 의사 난수 발생기 randomGen1randomGen2는 동일하게 시드가 생성되었기 때문에 randomInt1 == randomInt2이고 해당하는 배열 bytes1[]bytes2[]의 값이 같습니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] MSC03-J. Never hard code sensitive information CERT
[5] Standards Mapping - Common Weakness Enumeration CWE ID 336
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.java.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: Random)에서 특정 값(Random(Int) 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 Random.nextInt() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1:Random 개체 randomGen2를 통해 생성되는 값을 Random 개체 randomGen1에서 예측할 수 있습니다.


        val randomGen1 = Random(12345)
        val randomInt1 = randomGen1.nextInt()
        val byteArray1 = ByteArray(4)
        randomGen1.nextBytes(byteArray1)

        val randomGen2 = Random(12345)
        val randomInt2 = randomGen2.nextInt()
        val byteArray2 = ByteArray(4)
        randomGen2.nextBytes(byteArray2)


이 예제에서는 의사 난수 발생기 randomGen1randomGen2는 동일하게 시드가 생성되었기 때문에 randomInt1 == randomInt2이고 해당하는 배열 byteArray1byteArray2의 값이 같습니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] MSC03-J. Never hard code sensitive information CERT
[5] Standards Mapping - Common Weakness Enumeration CWE ID 336
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.kotlin.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 정수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 의사 난수 값을 생성하는 함수는 상수 정수 인수로 호출해서는 안 됩니다. 의사 난수 발생기의 시드를 특정 값을 사용하여 생성하는 경우 반환되는 값을 예측할 수 있습니다.

예제 1: 첫 번째 2개 블록이 동일한 시드로 시작하므로 의사 난수 발생기(PRNG)가 생성하는 값을 예측할 수 있습니다.


...
import random
random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)

random.seed(123456)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
print "Random: %d" % random.randint(1,100)
...


이 예제에서는 PRNG에서 동일하게 시드가 생성되었기 때문에 의사 난수 발생기(random.seed(123456))의 시드를 생성한 호출이 끝난 후 randint()를 호출할 때마다 동일한 호출 순서로 동일한 출력 결과가 생성됩니다. 예를 들어 출력은 다음과 같을 수 있습니다.


Random: 81
Random: 80
Random: 3
Random: 81
Random: 80
Random: 3


이 결과는 난수와는 거리가 멉니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 336
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.python.insecure_randomness_hardcoded_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다.
Explanation
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 상수 인수로 호출해서는 안 됩니다. 의사 난수 발생기(예: Random)에서 특정 값(Random.setSeed() 같은 함수 사용)을 사용하여 시드가 생성되면 다수의 PRNG 출력을 수집할 수 있는 공격자가 Random.nextInt() 및 값을 반환하거나 할당하는 이와 유사한 메서드를 통해 반환되는 값을 예측할 수 있게 됩니다.

예제 1:Random 개체 randomGen2를 통해 생성되는 값을 Random 개체 randomGen1에서 예측할 수 있습니다.


        val randomGen1 = new Random()
        randomGen1.setSeed(12345)
        val randomInt1 = randomGen1.nextInt()
        val bytes1 = new byte[4]
        randomGen1.nextBytes(bytes1)

        val randomGen2 = new Random()
        randomGen2.setSeed(12345)
        val randomInt2 = randomGen2.nextInt()
        val bytes2 = new byte[4]
        randomGen2.nextBytes(bytes2)


이 예제에서는 의사 난수 발생기 randomGen1randomGen2는 동일하게 시드가 생성되었기 때문에 randomInt1 == randomInt2이고 해당하는 배열 bytes1[]bytes2[]의 값이 같습니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] MSC02-J. Generate strong random numbers CERT
[4] MSC03-J. Never hard code sensitive information CERT
[5] Standards Mapping - Common Weakness Enumeration CWE ID 336
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.semantic.scala.insecure_randomness_hardcoded_seed

Insecure Randomness: User-Controlled Seed

Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다.
Explanation
CL_ABAP_RANDOM 클래스 또는 해당 변형을 감염된 인수로 초기화해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 다음과 같은 메서드(단, 이에 국한하지는 않음)를 호출하여 생성되는 값의 시퀀스를 예측할 수 있게 됩니다. GET_NEXT, INT, FLOAT, PACKED.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 335
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.abap.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다.
Explanation
시드(예: srand())가 전달되어 난수 또는 의사 난수(예: rand()) 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 의사 난수 발생기를 호출하여 생성되는 값(대개 정수)의 시퀀스를 예측할 수 있게 됩니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 335
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.cpp.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다.
Explanation
ed25519.NewKeyFromSeed()와 같이 의사 난수 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기의 시드를 생성하는 데 사용되는 값을 제어한 후에 의사 난수 발생기 호출로 인해 생성되는 값의 순서를 예측할 수 있습니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] MSC02-J. Generate strong random numbers CERT
[6] Standards Mapping - Common Weakness Enumeration CWE ID 335
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[8] Standards Mapping - FIPS200 MP
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[13] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[14] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[17] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.golang.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 정수 인수로 호출해서는 안 됩니다.
Explanation
Random.setSeed()는 감염된 정수 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 Random.nextInt(), Random.nextShort(), Random.nextLong()을 호출하여 생성되거나, Random.nextBoolean()에서 반환되거나, Random.nextBytes(byte[])에 설정되는 값(대개 정수)의 시퀀스를 예측할 수 있게 됩니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[4] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[5] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[6] MSC02-J. Generate strong random numbers CERT
[7] Standards Mapping - Common Weakness Enumeration CWE ID 335
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.java.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 정수 인수로 호출해서는 안 됩니다.
Explanation
Random.setSeed()는 감염된 정수 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 Random.nextInt(), Random.nextLong(), Random.nextDouble()을 호출하여 생성되거나, Random.nextBoolean()에서 반환되거나, Random.nextBytes(ByteArray)에 설정되는 값(대개 정수)의 시퀀스를 예측할 수 있게 됩니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[4] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[5] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[6] MSC02-J. Generate strong random numbers CERT
[7] Standards Mapping - Common Weakness Enumeration CWE ID 335
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.kotlin.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다.
Explanation
의사 난수 값(예: random.randint())을 생성하는 함수는 감염된 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 의사 난수 발생기를 호출하여 생성되는 값(대개 정수)의 시퀀스를 예측할 수 있게 됩니다.
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[3] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[4] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[5] Standards Mapping - Common Weakness Enumeration CWE ID 335
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[12] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[13] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.python.insecure_randomness_user_controlled_seed
Abstract
시드가 전달되어 난수 또는 의사 난수 값을 생성하는 함수는 감염된 정수 인수로 호출해서는 안 됩니다.
Explanation
Random.setSeed()는 감염된 정수 인수로 호출해서는 안 됩니다. 그렇게 하면 공격자가 의사 난수 발생기(PRNG)의 시드 생성에 사용되는 값을 제어할 수 있게 되므로 Random.nextInt(), Random.nextShort(), Random.nextLong()을 호출하여 생성되거나, Random.nextBoolean()에서 반환되거나, Random.nextBytes(byte[])에 설정되는 값(주로, 정수)의 시퀀스를 예측할 수 있게 됩니다.
References
[1] Java Cryptography Architecture Oracle
[2] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[3] Elaine Barker and John Kelsey NIST Special Publication 800-90A: Recommendation for Random Number Generation Using Deterministic Random Bit Generators NIST
[4] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[5] Elaine Barker and John Kelsey DRAFT NIST Special Publication 800-90C: Recommendation for Random Bit Generator (RBG) Constructions NIST
[6] MSC02-J. Generate strong random numbers CERT
[7] Standards Mapping - Common Weakness Enumeration CWE ID 335
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 6.3.3 Random Values (L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[33] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.scala.insecure_randomness_user_controlled_seed

Insecure Randomness: Weak Entropy Source

Abstract
난수 또는 의사 난수 발생기가 잘못된 엔트로피 소스에 의존합니다.
Explanation
난수 또는 의사 난수 발생기에서 적절한 엔트로피 소스를 사용할 수 없으면 denial of service 공격이 발생하거나 예측 가능한 숫자 시퀀스가 생성될 수 있습니다. 난수 또는 의사 난수 발생기에서 사용하는 엔트로피 소스가 부족해지면 프로그램이 일시 중지되거나 경우에 따라 충돌이 발생하여 denial of service 공격이 발생할 수 있습니다. 아니면 난수 또는 의사 난수 발생기에서 예측 가능한 숫자를 생성할 수 있습니다. 난수 또는 의사 난수를 생성하는 잘못된 소스는 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹(Session Hijacking), DNS 스푸핑 같은 취약점을 유발할 수 있습니다.

예제 1: 다음 코드에서는 시스템 클럭을 엔트로피 소스로 사용합니다.

    ...
    srand (time(NULL));
    r = (rand() % 6) + 1;
    ...


시스템 클럭이 예측 가능한 값을 생성하기 때문에 적절한 엔트로피 소스가 아닙니다. 또한 system/input/output 버퍼, user/system/hardware/network 일련번호 또는 주소는 물론, 사용자 입력 같은 비하드웨어 기반의 무작위성 소스도 마찬가지입니다.
References
[1] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[2] Standards Mapping - Common Weakness Enumeration CWE ID 331
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.dataflow.cpp.insecure_randomness_weak_entropy_source
Abstract
난수 또는 의사 난수 발생기가 잘못된 엔트로피 소스에 의존합니다.
Explanation
난수 또는 의사 난수 발생기에서 적절한 엔트로피 소스를 사용할 수 없으면 denial of service 공격이 발생하거나 예측 가능한 숫자 시퀀스가 생성될 수 있습니다. 난수 또는 의사 난수 발생기에서 사용하는 엔트로피 소스가 부족해지면 프로그램이 일시 중지되거나 경우에 따라 충돌이 발생하여 denial of service 공격이 발생할 수 있습니다. 아니면 난수 또는 의사 난수 발생기에서 예측 가능한 숫자를 생성할 수 있습니다. 잘못된 난수를 생성하는 소스는 추측하기 쉬운 임시 암호, 예측 가능한 암호화 키, 세션 하이재킹, DNS 스푸핑 같은 취약점을 유발할 수 있습니다.

예제 1: 다음 코드에서는 시스템 클럭을 엔트로피 소스로 사용합니다.

...
import time
import random

random.seed(time.time())
...


시스템 클럭이 예측 가능한 값을 생성하기 때문에 적절한 엔트로피 소스가 아닙니다. 또한 system/input/output 버퍼, user/system/hardware/network 일련번호 또는 주소는 물론, 사용자 입력 같은 비하드웨어 기반의 무작위성 소스도 마찬가지입니다.
References
[1] Elaine Barker and John Kelsey NIST DRAFT Special Publication 800-90B: Recommendation for the Entropy Sources Used for Random Bit Generation NIST
[2] Standards Mapping - Common Weakness Enumeration CWE ID 331
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[4] Standards Mapping - FIPS200 MP
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.24
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 3.2.2 Session Binding Requirements (L1 L2 L3), 3.2.4 Session Binding Requirements (L2 L3), 6.3.3 Random Values (L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.3 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.3 - Use of Cryptography, Control Objective B.2.4 - Terminal Software Design
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 330
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002010 CAT II, APSC-DV-002050 CAT II, APSC-DV-002290 CAT II
desc.structural.python.insecure_randomness_weak_entropy_source

Insecure Sanitizer Policy

Abstract
HTML sanitizer 정책을 정의하기 위한 사용자 제어 또는 신뢰할 수 없는 데이터 사용을 통해 공격자는 정화 요구 사항을 피하고 Cross-Site Scripting(XSS) 공격을 실행할 수 있습니다.
Explanation
포괄적 용어 “입력 처리”는 입력 데이터의 확인, 정화, 필터링 및 인코딩/디코딩과 같은 기능을 설명합니다. Cross-Site Scripting, SQL injection 및 process control 취약점은 모두 입력 처리가 잘못되거나 없는 것에서 기인합니다. 수용 가능한 형태로 입력 변환을 수반하는 입력 정화는 일반적으로 입력 확인에 추가하여 구현됩니다. HTML 정화는 안전한 태그, 속성 및 요소만 허용하도록 사용자 입력을 정화하고 정리하는 것을 나타냅니다.
완벽한 HTML 정화 정책 구현은 어렵습니다. 성공적인 구현의 핵심은 데이터가 사용될 컨텍스트를 이해하는 것입니다. 각 컨텍스트에는 고유의 취약점이 있으며 하나의 크기가 모두에 맞지는 않습니다. HTML sanitizer(예: OWASP HTML sanitizer)를 사용하여 웹 응용 프로그램의 XSS 취약점을 방지하는 것이 현명하며 부적절한 구현은 보안에 대한 잘못된 인식으로 이어질 수 있습니다.
예제 1: 다음 Java 코드는 HTML sanitizer 정책 구축에서 사용자 제어 입력 변수 elements를 사용합니다.


...
String elements = prop.getProperty("AllowedElements");
...
public static final PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder()
															.allowElements(elements)
															.toFactory();

....


악의적인 사용자는 elements를 공급하여 <script> 등의 위험한 요소를 HTML sanitizer 정책에서 수용하도록 할 수 있습니다.

References
[1] OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet
[2] Understanding Malicious Content Mitigation for Web Developers CERT
[3] HTML 4.01 Specification W3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 80
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [1] CWE ID 079
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-15 Information Output Filtering (P0)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-15 Information Output Filtering
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting
[20] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)
[21] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)
[22] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[23] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 079
[38] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079
[39] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting
desc.dataflow.java.insecure_sanitizer_policy

Insecure SSL: Android Customized Implementation

Abstract
응용 프로그램은 사용자 지정 SSL 인터페이스를 구현합니다.
Explanation
SSL 표준은 클라이언트 측에서 SSL 확인 검사를 수행하는 방법에 대한 지침을 제공합니다. 그러나 이러한 구현은 표준에 포함되어 있지 않습니다. 따라서 확인 로직의 구현은 응용 프로그램 개발자의 몫입니다.

조사에 따르면 SSL 표준 사양의 복잡성과 개방성은 결점 없는 사용자 지정 SSL 구현을 어렵게 만드는 몇 가지 문제를 야기합니다. 사용자 지정 SSL 구현을 사용하는 대부분의 Android 응용 프로그램은 보안 통신 채널을 제공하지 못하는 결점이 있으며 이로 인해 응용 프로그램이 MITM(Man-In-The-Middle) 공격에 취약해집니다.
References
[1] Designing for Security Android
[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, B. Friesleben Why Eve and Mallory Love Android:An Analysis of Android SSL (In)Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 296, CWE ID 297, CWE ID 298, CWE ID 299
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[11] Standards Mapping - FIPS200 CM, SC
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.4 Server Communications Security Requirements (L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[19] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[21] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.insecure_ssl_android_customized_implementation

Insecure SSL: Android Socket

Abstract
이 메서드는 SSL 확인 검사에 실패합니다.
Explanation
InetAddress를 함수 매개 변수로 받아들이는 createSocket()에 대한 호출은 호스트 이름 확인을 수행하지 않습니다.

마찬가지로, getInsecure()에 대한 호출은 모든 SSL 검사가 비활성화된 SSL 소켓 팩토리를 반환합니다.

둘 다 모두 응용 프로그램을 MITM(Man-In-The-Middle) 공격에 취약하게 만듭니다.

예를 들어 응용 프로그램은 https://safesecureserver.banking.com 연결을 시도할 때 https://hackedserver.banking.com에 발급된 인증서를 즉시 수락합니다. 그러면 이제 응용 프로그램은 해킹당한 서버에 대한 손상된 SSL 연결에서 민감한 사용자 정보를 누출할 가능성이 있습니다.
References
[1] Designing for Security Android
[2] S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgartner, B. Friesleben Why Eve and Mallory Love Android:An Analysis of Android SSL (In)Security
[3] JavaDoc for Android Android
[4] Standards Mapping - Common Weakness Enumeration CWE ID 297
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[12] Standards Mapping - FIPS200 CM, SC
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1
[20] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[22] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[23] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[25] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.insecure_ssl_android_socket

Insecure SSL: Inadequate Certificate Verification

Abstract
응용 프로그램은 인증서 체인 검증에 적합하지 않은 메서드를 호출합니다.
Explanation
응용 프로그램은 서버의 최종-엔터티 인증서와 시스템에서 신뢰하는 CA(인증 기관) 인증서 간의 올바른 신뢰 경로의 일부가 아닌 항목을 제거하지 않고 서버에서 반환하는 전체 인증서 목록을 반환하는 메서드를 호출합니다.

공격자가 손상된 CA의 개인 키에 대한 액세스를 소유한 경우 SSL/TLS 연결을 가로채고 서버에서 제공한 인증서를 수정할 수 있습니다. 이 시나리오에서는 공격자가 서버의 최종-엔터티 인증서에서 손상된 루트 CA로의 올바른 신뢰 경로를 생성하여 클라이언트가 인증서를 신뢰하고 서버에서 제공한 나머지 원래 인증서를 추가하게 만들 수 있습니다.

클라이언트가 인증서 고정을 사용하는 경우 "고정된" 인증서가 서버에서 제공한 항목 중 하나임을 확인하게 됩니다. 클라이언트가 올바른 신뢰 경로의 일부가 아닌 항목을 제거하지 않고 서버에서 제공한 모든 인증서를 반환하는 메서드를 사용하는 경우 유효한 손상된 개인 키를 가진 공격자가 웹 서버가 제공한 원래 인증서와 해당 손상된 CA에 대한 유효한 신뢰 경로를 제공할 수 있습니다. 해당 시나리오에서는 공격자가 인증서 고정 확인을 우회할 수 있습니다.
References
[1] An Examination of Ineffective Certificate Pinning Implementations Cigital
[2] Standards Mapping - Common Weakness Enumeration CWE ID 297
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[10] Standards Mapping - FIPS200 CM, SC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[16] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-NETWORK-2
[18] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[20] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.java.insecure_ssl_inadequate_certificate_verification

Insecure SSL: Overly Broad Certificate Trust

Abstract
SSL/TLS 연결은 기본 사전 로드된 시스템 CA(인증 기관)를 사용하여 생성되며 이로 인해 공격자가 손상된 루트 CA로 서명된 인증서를 사용하여 MiTM(Man-in-The-Middle: 메시지 가로채기) 공격을 수행하여 암호화된 통신을 가로챌 수 있습니다.
Explanation
PKI(공용 키 인프라)는 신뢰할 수 있는 CA(인증 기관)를 기반으로 하지만 손상된 인증 기관 증가는 해당 루트 인증서를 더 이상 신뢰할 수 없으며 그렇기 때문에 이 CA에서 서명한 인증서도 신뢰할 수 없음을 의미합니다. 이러한 손상된 인증서를 소유한 공격자는 이러한 CA를 신뢰하는 모든 SSL/TLS 트래픽을 가로챌 수 있습니다.

인증 기관 서명은 임의의 네트워크 끝점에 연결하며 이러한 끝점에 대한 SSL/TLS 인증서를 서명하는 CA에 대한 고급 지식이 없는 브라우저와 같은 범용 네트워크 통신 도구에 필요합니다. 제한된 수의 백엔드 서버에 연결하는 모바일 응용 프로그램은 이러한 서버가 해당 인증서 서명에 사용하고 응용 프로그램에서 이러한 인증서/공용 키를 "고정"하여 응용 프로그램이 예상하는 인증서로 신뢰 수준을 줄일 수 있는 신뢰할 수 있는 CA 최종 후보 목록 인지를 활용할 수 있습니다.

예제 1: 다음 예제는 기본 사전 로드된 시스템 CA를 사용하여 SSL/TLS 연결을 설정합니다.

URL url = new URL("https://myserver.org");
URLConnection urlConnection = url.openConnection();
InputStream in = urlConnection.getInputStream();
URLConnection에 사용되는 기본 SSLSocketFactory는 변경되지 않았기 때문에 Android 기본 키 저장소에 있는 모든 CA를 신뢰하는 기본 항목을 사용합니다.
References
[1] Your app shouldn't suffer SSL's problems Moxie Marlinspike
[2] Certificate and Public Key Pinning OWASP
[3] Standards Mapping - Common Weakness Enumeration CWE ID 297
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[11] Standards Mapping - FIPS200 CM, SC
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-NETWORK-2
[20] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[22] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[23] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[25] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.insecure_ssl_overly_broad_certificate_trust
Abstract
SSL/TLS 연결은 기본 사전 로드된 시스템 CA(인증 기관)를 사용하여 생성되며 이로 인해 공격자가 손상된 루트 CA로 서명된 인증서를 사용하여 MiTM(Man-in-The-Middle: 메시지 가로채기) 공격을 수행하여 암호화된 통신을 가로챌 수 있습니다.
Explanation
PKI(공용 키 인프라)는 신뢰할 수 있는 CA(인증 기관)를 기반으로 하지만 손상된 인증 기관 증가는 해당 루트 인증서를 더 이상 신뢰할 수 없으며 그렇기 때문에 이 CA에서 서명한 인증서도 신뢰할 수 없음을 의미합니다. 이러한 손상된 인증서를 소유한 공격자는 이러한 CA를 신뢰하는 모든 SSL/TLS 트래픽을 가로챌 수 있습니다.

인증 기관 서명은 임의의 네트워크 끝점에 연결하며 이러한 끝점에 대한 SSL/TLS 인증서를 서명하는 CA에 대한 고급 지식이 없는 브라우저와 같은 범용 네트워크 통신 도구에 필요합니다. 제한된 수의 백엔드 서버에 연결하는 모바일 응용 프로그램은 이러한 서버가 해당 인증서 서명에 사용하고 응용 프로그램에서 이러한 인증서/공용 키를 "고정"하여 응용 프로그램이 예상하는 인증서로 신뢰 수준을 줄일 수 있는 신뢰할 수 있는 CA 최종 후보 목록 인지를 활용할 수 있습니다.

예제 1: 다음 예제는 기본 사전 로드된 시스템 CA를 사용하여 SSL/TLS 연결을 설정합니다.

val url = URL("https://myserver.org")
val data = url.readBytes()
URLConnection에 사용되는 기본 SSLSocketFactory는 변경되지 않았기 때문에 Android 기본 키 저장소에 있는 모든 CA를 신뢰하는 기본 항목을 사용합니다.
References
[1] Your app shouldn't suffer SSL's problems Moxie Marlinspike
[2] Certificate and Public Key Pinning OWASP
[3] Standards Mapping - Common Weakness Enumeration CWE ID 297
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[11] Standards Mapping - FIPS200 CM, SC
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[18] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-NETWORK-2
[20] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[22] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[23] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[25] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.kotlin.insecure_ssl_overly_broad_certificate_trust
Abstract
SSL/TLS 연결은 기본 사전 로드된 시스템 CA(인증 기관)를 사용하여 생성되며 이로 인해 공격자가 손상된 루트 CA로 서명된 인증서를 사용하여 MiTM(Man-in-The-Middle: 메시지 가로채기) 공격을 수행하여 암호화된 통신을 가로챌 수 있습니다.
Explanation
PKI(공용 키 인프라)는 신뢰할 수 있는 CA(인증 기관)를 기반으로 하지만 손상된 인증 기관 증가는 해당 루트 인증서를 더 이상 신뢰할 수 없으며 그렇기 때문에 이 CA에서 서명한 인증서도 신뢰할 수 없음을 의미합니다. 이러한 손상된 인증서를 소유한 공격자는 이러한 CA를 신뢰하는 모든 SSL/TLS 트래픽을 가로챌 수 있습니다.

인증 기관 서명은 임의의 네트워크 끝점에 연결하며 이러한 끝점에 대한 SSL/TLS 인증서를 서명하는 CA에 대한 고급 지식이 없는 브라우저와 같은 범용 네트워크 통신 도구에 필요합니다. 제한된 수의 백엔드 서버에 연결하는 모바일 응용 프로그램은 이러한 서버가 해당 인증서 서명에 사용하고 응용 프로그램에서 이러한 인증서/공용 키를 "고정"하여 응용 프로그램이 예상하는 인증서로 신뢰 수준을 줄일 수 있는 신뢰할 수 있는 CA 최종 후보 목록 인지를 활용할 수 있습니다.

예제 1: 다음 예제는 기본 사전 로드된 시스템 CA를 사용하여 SSL/TLS 연결을 설정합니다.

NSString* requestString = @"https://myserver.org";
NSURL* requestUrl = [NSURL URLWithString:requestString];
NSURLRequest* request = [NSURLRequest requestWithURL:requestUrl
                                         cachePolicy:NSURLRequestReloadIgnoringLocalCacheData
                                     timeoutInterval:10.0f];
NSURLConnection* connection = [[NSURLConnection alloc] initWithRequest:request delegate:self];


인증서 확인을 처리하도록 정의된 NSURLConnectionDelegate 메서드가 없기 때문에 iOS 기본 키 저장소에 있는 모든 CA를 신뢰하는 시스템을 사용합니다.
References
[1] Your app shouldn't suffer SSL's problems Moxie Marlinspike
[2] Certificate and Public Key Pinning OWASP
[3] HTTPS Server Trust Evaluation Apple
[4] Standards Mapping - Common Weakness Enumeration CWE ID 297
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[12] Standards Mapping - FIPS200 CM, SC
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[19] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-NETWORK-2
[21] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[25] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.insecure_ssl_overly_broad_certificate_trust
Abstract
SSL/TLS 연결은 기본 사전 로드된 시스템 CA(인증 기관)를 사용하여 생성되며 이로 인해 공격자가 손상된 루트 CA로 서명된 인증서를 사용하여 MiTM(Man-in-The-Middle: 메시지 가로채기) 공격을 수행하여 암호화된 통신을 가로챌 수 있습니다.
Explanation
PKI(공용 키 인프라)는 신뢰할 수 있는 CA(인증 기관)를 기반으로 하지만 손상된 인증 기관 증가는 해당 루트 인증서를 더 이상 신뢰할 수 없으며 그렇기 때문에 이 CA에서 서명한 인증서도 신뢰할 수 없음을 의미합니다. 이러한 손상된 인증서를 소유한 공격자는 이러한 CA를 신뢰하는 모든 SSL/TLS 트래픽을 가로챌 수 있습니다.

인증 기관 서명은 임의의 네트워크 끝점에 연결하며 이러한 끝점에 대한 SSL/TLS 인증서를 서명하는 CA에 대한 고급 지식이 없는 브라우저와 같은 범용 네트워크 통신 도구에 필요합니다. 제한된 수의 백엔드 서버에 연결하는 모바일 응용 프로그램은 이러한 서버가 해당 인증서 서명에 사용하고 응용 프로그램에서 이러한 인증서/공용 키를 "고정"하여 응용 프로그램이 예상하는 인증서로 신뢰 수준을 줄일 수 있는 신뢰할 수 있는 CA 최종 후보 목록 인지를 활용할 수 있습니다.

예제 1: 다음 예제는 기본 사전 로드된 시스템 CA를 사용하여 SSL/TLS 연결을 설정합니다.

let requestString = NSURL(string: "https://myserver.org") 
let requestUrl : NSURL = NSURL(string:requestString)!;
let request : NSURLRequest = NSURLRequest(URL:requestUrl);
let connection : NSURLConnection = NSURLConnection(request:request, delegate:self)!;


인증서 확인을 처리하도록 정의된 NSURLConnectionDelegate 메서드가 없기 때문에 iOS 기본 키 저장소에 있는 모든 CA를 신뢰하는 시스템을 사용합니다.
References
[1] Your app shouldn't suffer SSL's problems Moxie Marlinspike
[2] Certificate and Public Key Pinning OWASP
[3] HTTPS Server Trust Evaluation Apple
[4] Standards Mapping - Common Weakness Enumeration CWE ID 297
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[12] Standards Mapping - FIPS200 CM, SC
[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[19] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-NETWORK-2
[21] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[25] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[26] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.insecure_ssl_overly_broad_certificate_trust