1464 개 항목 찾음

취약점

J2EE Misconfiguration: Insufficient Session ID Length

Java/JSP

Abstract

세션 ID는 세션 ID를 알아내기 위한 무차별 대입 공격을 막기 위해 길이가 128비트 이상이어야 합니다.

Explanation

WebLogic 배포 설명자는 최소 24바이트 길이의 세션 ID를 지정해야 합니다. 이보다 짧은 세션 ID를 사용하면 응용 프로그램이 무차별 대입 공격에 취약해집니다. 공격자가 인증된 사용자의 세션 ID를 알아내면 사용자의 세션을 가로챌 수 있습니다. 이 글의 나머지 부분에서는 24바이트 세션 ID가 필요한 이유를 자세히 설명합니다.

세션 ID는 62개 영숫자의 의사 난수 선택으로 구성되어 있습니다. 이는 문자열이 실질적으로 무작위 방식으로 구성되었을 경우, 각 바이트는 최대 6비트의 엔트로피를 만들 수 있음을 의미합니다.

올바른 세션 ID를 추측하는 데 필요한 예상 시간(초)은 다음 식으로 구할 수 있습니다.

(2^B+1) / (2*A*S)

관련 설명:

- B는 세션 ID의 엔트로피의 비트 수입니다.

- A는 공격자가 1초에 시도할 수 있는 추측의 횟수입니다.

- S는 임의의 시간에 추측할 수 있는 유효한 세션 ID의 개수입니다.

세션 ID의 엔트로피의 비트 수는 항상 세션 ID의 총 비트 수보다 작습니다. 예를 들어, 세션 ID가 오름차순이라면 ID의 길이에 관계없이 세션 ID 엔트로피 비트 수가 0에 가까울 것입니다. 우수한 난수 발생기를 사용하여 세션 ID를 생성한다고 가정하면 세션 ID의 엔트로피의 비트 수는 세션 ID의 총 비트 수의 절반이 됩니다. 실제 ID 길이의 경우, 이것이 가능하지만 낙관적인 감이 있습니다.

공격자가 수백 또는 수천 대의 무인 컴퓨터를 가지고 봇네트(botnet)를 사용한다면 초당 수만 개의 추측을 시도한다고 가정하는 것이 타당합니다. 해당 웹 사이트가 대형 인기있는 웹 사이트라면 한동안 대량 무차별 대입을 발견하지 못할 수 있습니다.

추측할 수 있는 유효한 세션 ID 수의 하한(lower bound)은 임의의 순간에 사이트를 사용하고 있는 사용자 수입니다. 하지만 로그아웃하지 않고 세션을 떠난 사용자 때문에 이 수가 늘어납니다. (이는 비활성 세션 제한 시간을 짧게 하는 이유 중 하나입니다.)

64비트 세션 ID의 경우 32비트 엔트로피를 가정합니다. 대형 웹 사이트의 경우, 공격자가 초당 1,000번의 추측을 시도할 수 있고 임의의 순간에 10,000개의 유효한 세션 ID가 있다고 가정합니다. 이렇게 가정하면, 공격자가 유효한 세션 ID를 알아내는 데 성공하기 위한 예상 시간은 4분 미만입니다.

이번에는 128비트 세션 ID에서 64비트 엔트로피를 제공한다고 가정합니다. 초대형 웹 사이트에서 공격자는 초당 10,000번의 추측을 시도할 수 있고 추측할 수 있는 유효한 세션 ID는 100,000개입니다. 이렇게 가정하면, 공격자가 유효한 세션 ID를 알아내는 데 성공하는 예상 시간은 292년이 넘습니다.

비트에서 바이트로 역방향 작업을 하는 세션 ID는 128/6이어야 합니다. 이는 약 21바이트를 생성합니다. 그뿐만 아니라, 경험 상, 테스트를 해 보면 세션 ID의 첫 3바이트가 무작위로 생성되지 않음을 보여줍니다. 이는 원하는 64비트 엔트로피를 얻으려면 세션 ID 24바이트 길이를 사용하도록 WebLogic을 구성해야 함을 의미합니다.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 6

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001941, CCI-001942

[3] Standards Mapping - FIPS200 IA

[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002290 CAT II

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.j2ee_misconfiguration_insufficient_session_id_length

J2EE Misconfiguration: Invalid Servlet Name

Java/JSP

Abstract

잘못된 서블릿 이름은 의도한 서블릿에 대한 합법적인 액세스를 방해할 수 있습니다.

Explanation

web.xml에서 누락되거나 중복된 서블릿 이름은 오류입니다. 모든 서블릿에는 고유한 이름(servlet-name)과 해당하는 매핑(servlet-mapping)이 있어야 합니다.

예제 1:web.xml의 다음 항목은 몇 가지 잘못된 서블릿 정의를 보여줍니다.


<!-- No <servlet-name> specified: -->
    <servlet>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

<!-- Empty <servlet-name> node: -->
    <servlet>
        <servlet-name/>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

<!-- Duplicate <servlet-name> nodes: -->
    <servlet>
        <servlet-name>MyServlet</servlet-name>
        <servlet-name>Servlet</servlet-name>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

이러한 오류는 의도하지 않은 서블릿 액세스 거부를 유발할 수 있습니다.

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 684

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[36] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[37] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_invalid_servlet_name

J2EE Misconfiguration: Missing Authentication Method

Java/JSP

Abstract

로그인 구성이 없으면 보안 및 권한 부여 제약 조건이 실패합니다.

Explanation

<login-config> 요소는 사용자가 응용 프로그램에 인증하는 방법을 구성하는 데 사용됩니다. 인증 방법이 없으면 누구도 로그인할 수 없으므로 응용 프로그램에서 권한 부여 제약 조건을 적용하는 방법을 알지 못합니다. 인증 방법은 <login-config>의 하위 항목인 <auth-method> 태그를 사용하여 지정됩니다.

인증 방법에는 4가지가 있습니다. 즉, BASIC, FORM, DIGEST 및 CLIENT_CERT입니다.

BASIC은 HTTP 기본 인증을 나타냅니다.
FORM은 양식 기반 인증을 나타냅니다.
DIGEST는 기본 인증과 같습니다. 그러나 DIGEST에서는 암호가 암호화됩니다.
CLIENT_CERT는 클라이언트에 공개 키 인증서가 있어야 하고 SSL/TLS를 사용할 것을 요구합니다.

예제 1: 다음 구성은 로그인 구성을 지정하지 않습니다.


<web-app>

    <!-- servlet declarations -->
    <servlet>...</servlet>

    <!-- servlet mappings-->
    <servlet-mapping>...</servlet-mapping>

    <!-- security-constraints-->
    <security-constraint>...</security-constraint>

    <!-- login-config goes here -->

    <!-- security-roles -->
    <security-role>...</security-role>

</web-app>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Sun Microsystems, Inc. Specifying an Authentication Mechanism

[3] Standards Mapping - Common Weakness Enumeration CWE ID 284

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000778, CCI-001094, CCI-001958, CCI-001967

[5] Standards Mapping - FIPS200 IA

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), SC-5 Denial of Service Protection (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, SC-5 Denial of Service Protection

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_missing_authentication_method

J2EE Misconfiguration: Missing Data Transport Constraint

Java/JSP

Abstract

사용자 데이터 제약 조건을 지정하지 않는 보안 제약 조건은 제한된 리소스가 전송 계층에서 보호된다는 것을 보장할 수 없습니다.

Explanation

web.xml 보안 제약 조건은 일반적으로 RBAC(Role-Based Access Control)에 사용되지만 선택적 user-data-constraint 요소로 콘텐트의 안전하지 않은 전송을 차단하는 전송 보증을 지정할 수 있습니다.

<user-data-constraint> 태그 안에서 <transport-guarantee> 태그는 통신의 처리 방법을 정의합니다. 전송 보증에는 3가지 수준이 있습니다.

1) NONE은 응용 프로그램에서 전송 보증을 요구하지 않음을 의미합니다.
2) INTEGRAL은 응용 프로그램에서 클라이언트와 서버 간에 전송되는 데이터를 전송 중에 변경할 수 없는 방식으로 전송할 것을 요구함을 의미합니다.
3) CONFIDENTIAL은 응용 프로그램에서 다른 엔티티가 전송 내용을 관찰할 수 없는 방식으로 데이터를 전송할 것을 요구함을 의미합니다.

대부분의 상황에서 INTEGRAL 또는 CONFIDENTIAL의 사용은 SSL/TLS가 필요함을 의미합니다. <user-data-constraint> 및 <transport-guarantee> 태그가 생략된 경우 전송 보증은 기본적으로 NONE으로 설정됩니다.

예제 1: 다음 보안 제약 조건은 전송 보증을 지정하지 않습니다.


<security-constraint>
    <web-resource-collection>
        <web-resource-name>Storefront</web-resource-name>
        <description>Allow Customers and Employees access to online store front</description>
        <url-pattern>/store/shop/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Anyone</description>
        <role-name>anyone</role-name>
    </auth-constraint>
</security-constraint>

References

[1] Sun Microsystems, Inc. Java EE 5 Tutorial: Establishing a Secure Connection Using SSL

[2] Sun Microsystems, Inc. Java Servlet Specification Version 2.3

[3] Standards Mapping - Common Weakness Enumeration CWE ID 5

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[5] Standards Mapping - FIPS200 CM, SC

[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_missing_data_transport_constraint

J2EE Misconfiguration: Missing Error Handling

Java/JSP

Abstract

웹 응용 프로그램은 기본 오류 페이지를 정의하여 공격자가 응용 프로그램 컨테이너의 기본 제공 오류 응답의 정보를 빼내는 것을 방지해야 합니다.

Explanation

공격자가 웹 사이트에서 취약점을 찾기 위해 탐색할 때 사이트가 제공하는 정보의 양이 공격 시도의 성패를 결정짓는 핵심 요소입니다. 응용 프로그램이 공격자에게 스택 추적을 보여주면 공격자의 공격을 아주 쉽게 만드는 정보를 제공하는 셈이 됩니다. 예를 들어, 스택 추적은 공격자에게 잘못된 SQL 쿼리 문자열, 사용 중인 데이터베이스 유형 및 응용 프로그램 컨테이너 버전을 보여줄 수 있습니다. 공격자는 이 정보를 사용하여 이 구성 요소의 알려진 취약점을 공략합니다.

응용 프로그램 구성은 응용 프로그램이 오류 메시지를 공격자에게 누출하지 않는다는 것을 보장하기 위해 기본 오류 페이지를 지정해야 합니다. 표준 HTTP 오류 코드를 처리하는 것은 바람직한 보안 관행일 뿐만 아니라 유용하고 사용자 친화적입니다. 또한 응용 프로그램에서 발생할 수 있는 예외를 포착하는 마지막 오류 처리기도 정의해야 좋은 구성이라고 할 수 있습니다.

References

[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley

[2] Standards Mapping - Common Weakness Enumeration CWE ID 7

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-23 Data Mining Protection (P0), SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-23 Data Mining Protection, SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[52] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_missing_error_handling

J2EE Misconfiguration: Missing Filter Definition

Java/JSP

Abstract

존재하지 않는 필터를 참조하는 필터 매핑은 적용되지 않습니다.

Explanation

모든 필터 매핑은 유효한 필터 정의와 일치해야 적용됩니다.

예제 1: 다음 예제는 존재하지 않는 필터인 AuthenticationFilter를 참조하는 필터 매핑을 보여줍니다. 정의가 누락되었기 때문에 AuthenticationFilter 필터는 지정된 URL 패턴 /secure/*에 적용되지 않으며 런타임 예외를 야기할 수 있습니다.


<filter>
    <description>Compresses images to 64x64</description>
    <filter-name>ImageFilter</filter-name>
    <filter-class>com.ImageFilter</filter-class>
</filter>

<!-- AuthenticationFilter is not defined -->
<filter-mapping>
    <filter-name>AuthenticationFilter</filter-name>
    <url-pattern>/secure/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>ImageFilter</filter-name>
    <servlet-name>ImageServlet</servlet-name>
</filter-mapping>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 284

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[37] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[38] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_missing_filter_definition

J2EE Misconfiguration: Missing Security Role

Java/JSP

Abstract

존재하지 않는 role-name을 참조하는 보안 제약 조건은 보호하는 모든 리소스에 대한 올바른 접근을 막습니다.

Explanation

auth-constraint에 정의된 role-name에 대한 security-role이 없으면 구성이 오래된 것일 수 있습니다.

예제 1: 다음 예제는 role-name을 지정하지만 security-role에서 역할 이름을 정의하지 않습니다.


<security-constraint>
    <web-resource-collection>
         <web-resource-name>AdminPage</web-resource-name>
         <description>Admin only pages</description>
         <url-pattern>/auth/noaccess/*</url-pattern>
    </web-resource-collection>

    <auth-constraint>
        <description>Administrators only</description>
        <role-name>admin</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>INTEGRAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 684

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[38] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[39] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_missing_security_role

J2EE Misconfiguration: Missing Servlet Mapping

Java/JSP

Abstract

web.xml에 정의된 서블릿은 해당하는 서블릿 매핑 없이 액세스할 수 없습니다.

Explanation

유효한 서블릿 매핑이 없으면 매핑되지 않은 서블릿에 대한 모든 액세스가 차단됩니다.

예제 1:web.xml의 다음 항목은 ExampleServlet을 정의하지만 해당하는 서블릿 매핑을 정의하지 않습니다.


<web-app
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
    version="2.4">

    <servlet>
      <servlet-name>ExampleServlet</servlet-name>
      <servlet-class>com.class.ExampleServlet</servlet-class>
      <load-on-startup>1</load-on-startup>
    </servlet>

</web-app>