1464 개 항목 찾음
취약점

Password Management: Password in Comment

Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 FTP 연결에 대한 기본 비밀번호를 지정합니다.


...
* Default username for FTP connection is "scott"
* Default password for FTP connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Scott Mitchell Protecting Connection Strings and Other Configuration Information Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 615
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[9] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[10] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[12] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[13] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.abap.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.actionscript.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.

예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.apex.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.dotnet.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.cpp.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
* Default username for database connection is "scott"
* Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.cobol.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
<!-- Default username for database connection is "scott" -->
<!-- Default password for database connection is "tiger" -->
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.cfml.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.java.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.javascript.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 외부에서 암호에 액세스할 수 있게 되며 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 손상되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...

이 구성은 유효한 것일 수 있지만, 구성에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 누구든 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.json.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.php.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
-- Default username for database connection is "scott"
-- Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.sql.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
# Default username for database connection is "scott"
# Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.python.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
#Default username for database connection is "scott"
#Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.ruby.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스 연결을 위한 기본 비밀번호를 지정합니다.


...
// Default username for database connection is "scott"
// Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.regex.universal.password_management_password_in_comment
Abstract
암호 또는 암호 세부 정보를 시스템 또는 시스템 코드 안에 일반 텍스트로 저장하는 것은 쉽게 해결할 수 없는 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
암호를 하드코드하는 것은 좋은 방법이 아닙니다. 주석 안에 자세한 암호 정보를 저장하는 것은 암호를 하드코드하는 것과 마찬가지입니다. 모든 프로젝트 개발자에게 암호가 표시될 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 암호가 외부로 유출되어 소프트웨어 패치 없이는 암호를 보호하거나 변경할 수 없습니다. 암호로 보호되는 계정이 침해되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
예제 1: 다음 주석은 데이터베이스에 연결하기 위한 기본 암호를 지정합니다.


...
'Default username for database connection is "scott"
'Default password for database connection is "tiger"
...


이 코드는 성공적으로 실행되지만 코드에 액세스할 수 있는 사용자는 암호에도 액세스할 수 있습니다. 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 615
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[8] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[9] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[11] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[12] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[13] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[14] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[15] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.vb.password_management_password_in_comment

Password Management: Password in Configuration File

Abstract
구성 파일에 일반 텍스트 암호를 저장하면 시스템 침해가 발생할 수 있습니다.
Explanation
일반 텍스트 암호를 구성 파일에 저장하면 파일을 읽을 수 있는 사용자는 누구나 암호로 보호되는 리소스 접근이 허용됩니다. 때때로 개발자가 구성에 대한 접근 권한이 있는 사람에게서 응용 프로그램을 방어할 수 없다고 생각하는 경우가 있는데 이런 태도가 공격자에게 유리하게 작용합니다. 좋은 암호 관리 지침에 따르면 암호를 일반 텍스트로 저장하지 않아야 합니다.
References
[1] Scott Mitchell Protecting Connection Strings and Other Configuration Information Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 13, CWE ID 260, CWE ID 555
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.config.dotnet.password_management_password_in_configuration_file
Abstract
일반 텍스트 암호를 구성 파일에 저장하면 시스템 침해가 발생할 수도 있습니다.
Explanation
일반 텍스트 암호를 구성 파일에 저장하면 파일을 읽을 수 있는 사용자는 누구나 암호로 보호되는 리소스에 접근할 수 있습니다. 때때로 개발자가 구성에 대한 접근 권한이 있는 사람에게서 응용 프로그램을 방어할 수 없다고 생각하는 경우가 있는데 이런 태도가 공격자에게 유리하게 작용합니다. Dockerfile에 암호가 포함되면 이 이미지의 모든 사용자가 암호에 접근할 수 있습니다.

다음 명령을 사용하여 기밀을 가져올 수 있습니다.
- docker images
- docker history
References
[1] Store config in the environment
[2] Build images with BuildKit
[3] Standards Mapping - Common Weakness Enumeration CWE ID 13, CWE ID 260, CWE ID 555
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[11] Standards Mapping - FIPS200 IA
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.configuration.docker.password_management_password_in_configuration_file
Abstract
구성 파일에 일반 텍스트 암호를 저장하면 시스템 침해가 발생할 수 있습니다.
Explanation
일반 텍스트 암호를 구성 파일에 저장하면 파일을 읽을 수 있는 사용자는 누구나 암호로 보호되는 리소스 접근이 허용됩니다. 때때로 개발자가 구성에 대한 접근 권한이 있는 사람에게서 응용 프로그램을 방어할 수 없다고 생각하는 경우가 있는데 이런 태도가 공격자에게 유리하게 작용합니다. 좋은 암호 관리 지침에 따르면 암호를 일반 텍스트로 저장하지 않아야 합니다.

References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 13, CWE ID 260, CWE ID 555
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.config.java.password_management_password_in_configuration_file
Abstract
Hardcoded Password는 해결하기 어려운 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
절대 암호를 하드코드하지 마십시오. 모든 프로젝트 개발자에게 암호를 노출할 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 아마도 프로그램 패치만이 암호를 변경할 수 있는 유일한 방법일 것입니다. 암호로 보호되는 계정이 손상되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.

References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 13, CWE ID 260, CWE ID 555
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.structural.json.password_management_password_in_configuration_file
Abstract
Hardcoded Password는 해결하기 어려운 방식으로 시스템 보안을 손상시킬 수 있습니다.
Explanation
절대 암호를 하드코드하지 마십시오. 모든 프로젝트 개발자에게 암호를 노출할 뿐 아니라 문제 해결을 극히 어렵게 만듭니다. 코드가 운영 단계에 들어간 후에는 아마도 프로그램 패치만이 암호를 변경할 수 있는 유일한 방법일 것입니다. 암호로 보호되는 계정이 손상되면 시스템 소유자는 보안과 가용성 중 한 가지를 선택해야 합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 13, CWE ID 260, CWE ID 555
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.regex.universal.password_management_password_in_configuration_file

Password Management: Password in HTML Form

Abstract
HTML 폼의 암호 필드를 채우면 시스템이 손상될 수 있습니다.
Explanation
HTML 폼의 암호 필드를 채우면 누구나 HTML 소스에서 해당 값을 볼 수 있습니다. 또한 암호 필드에 저장된 민감한 정보가 프록시나 브라우저에 의해 캐시될 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 259, CWE ID 798
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-000197, CCI-001199, CCI-002361, CCI-002367
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.10.4 Service Authentication Requirements (L2 L3), 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[15] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6, Requirement 8.3.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6, Requirement 8.3.2
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I
desc.content.html.password_management_password_in_html_form

Password Management: Password in Redirect

Abstract
HTTP 리디렉션의 일부로 암호를 보내면 암호가 캐시에 표시, 기록 또는 저장될 수 있습니다.
Explanation
HTTP 리디렉션을 사용하면 사용자의 웹 브라우저가 HTTP GET 요청을 발행할 수 있습니다. 규칙에 따라 HTTP GET와 관련된 매개 변수가 민감한 데이터로 처리되지 않으므로 웹 서버는 매개 변수를 기록하고 프록시는 캐시하고 웹 브라우저는 숨기려고 하지 않습니다. 리디렉션의 일부로 암호 또는 다른 민감한 데이터를 보내면 데이터가 잘못 처리되어 공격자에게 노출될 수 있습니다.

예제 1:

response.sendRedirect("j_security_check?j_username="+usr+"&j_password="+pass);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 359
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-000197, CCI-001199, CCI-002361
[7] Standards Mapping - FIPS200 IA
[8] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[13] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6, Requirement 8.3.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6, Requirement 8.3.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.java.password_management_redirect

Password Management: Plain Text Password in Transit

Abstract
응용 프로그램은 암호화되지 않은 채널을 통해 일반 텍스트 암호를 전송하므로 통신된 데이터가 MiTM(Man-in-The-Middle) 공격을 통한 가로채기에 취약해집니다.
Explanation
응용 프로그램이 암호화되지 않은 채널을 통해 암호를 전송하며 이는 해당 응용 프로그램의 사용자에게 큰 보안 위험이 될 수 있습니다. 일부 예제로 인증 자격 증명을 HTTP를 통해 일반 텍스트로 전송하는 기본 인증 또는 HTTP를 통해 전송되는 양식 기반 인증 자격 증명이 포함되며 이러한 방식은 MiTM(Man-in-The-Middle) 공격을 통한 가로채기에 취약합니다.

References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 522
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [18] CWE ID 522
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [21] CWE ID 522
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000197, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[9] Standards Mapping - FIPS200 MP
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), IA-5 Authenticator Management (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, IA-5 Authenticator Management, SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.10.3 Service Authentication Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-NETWORK-1, MASVS-STORAGE-2
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4, Requirement 8.3.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4, Requirement 8.3.1
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000220 CAT II, APSC-DV-001750 CAT I, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.dotnet.password_management_plain_text_password_in_transit

Password Management: Shared Password Database

Abstract
소스 코드에 암호 데이터베이스를 저장하는 것은 좋은 방법이 아닙니다. 암호화하더라도 이 방법을 사용하면 몇 가지 위험에 노출될 수 있습니다.
Explanation
암호 데이터베이스는 암호 및 기타 민감한 정보를 저장하기 위한 암호화된 데이터베이스입니다. 암호 데이터베이스를 소스 코드와 함께 저장하는 데는 몇 가지 문제가 있습니다.

1. 조직에서 데이터베이스에 사용되는 마스터 암호의 강도를 제어할 수 있는 방법이 없으므로 약한 암호를 사용할 수 있습니다.

2. 암호 데이터베이스를 사용하여 팀 구성원 간에 암호를 공유하면 누구나 자격 증명이 있는 서비스에 익명으로 액세스할 수 있으므로 조직이 내부 위협에 노출됩니다. 팀 구성원이 조직을 떠날 때 모든 공유 암호를 변경해야 하므로 떠나는 구성원의 개인 계정을 비활성화하는 것보다 훨씬 더 많은 시간이 소요됩니다.

3. 암호 데이터베이스가 제공된 제품과 암호를 번들로 사용하는 경우 모든 고객에게 동일한 암호를 사용하거나 각 고객에 대해 고유한 암호를 생성하기 위해 복잡한 논리가 필요할 수 있습니다. 어느 쪽이든 고객을 위험에 노출시킵니다.

4. git와 같은 버전 제어 시스템을 사용하는 경우 이전 버전 암호 데이터베이스에 대한 공격에 취약할 수 있습니다. 이전 버전은 약한 암호가 사용되었거나 안전하지 않은 암호 데이터베이스를 생성했을 수 있는 이전 버전의 암호 관리 소프트웨어가 사용되었을 때부터 존재할 수 있습니다.

5. 소스 코드 디렉터리에 암호 데이터베이스를 저장하면 고객에게 배송되는 빌드된 아티팩트에 실수로 포함될 위험이 높아집니다.

암호 데이터베이스가 유출되면 암호를 해독하기 위한 무차별 대입 공격에 취약해집니다. 암호화의 강도와 사용된 마스터 키에 따라 위험이 상당히 클 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 259, CWE ID 798
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-002367, CCI-003109
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SA-4 Acquisition Process (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SA-4 Acquisition Process, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.3.1 Authenticator Lifecycle Requirements (L1 L2 L3), 2.6.2 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.4 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[14] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[15] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 798
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 798
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.regex.universal.password_management_shared_password_database

Password Management: Weak Cryptography

Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 비밀번호를 읽고 이 비밀번호를 사용하여 URL 요청에 기본 authentication 자격 증명을 설정합니다.


...
var fs:FileStream = new FileStream();
fs.open(new File("config.properties"), FileMode.READ);
var decoder:Base64Decoder = new Base64Decoder();
decoder.decode(fs.readMultiByte(fs.bytesAvailable, File.systemCharset));
var password:String = decoder.toByteArray().toString();

URLRequestDefaults.setLoginCredentialsForHost(hostname, usr, password);
...


이 코드는 올바로 실행되지만 config.properties에 액세스할 수 있는 모든 사용자는 password 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.actionscript.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 구성 파일 또는 기타 데이터 저장소에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 레지스트리에서 비밀번호를 읽고 해당 비밀번호를 사용하여 새 네트워크 자격 증명을 생성합니다.


...
string value = regKey.GetValue(passKey).ToString());
byte[] decVal = Convert.FromBase64String(value);
NetworkCredential netCred =
  new NetworkCredential(username,decVal.toString(),domain);
...


이 코드는 바르게 실행되지만 암호를 저장하는 데 사용되는 레지스트리 키에 대한 액세스 권한이 있는 사용자면 누구나 password의 값을 읽을 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Scott Mitchell Protecting Connection Strings and Other Configuration Information Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 261
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 구성 파일 또는 기타 데이터 저장소에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 레지스트리에서 비밀번호를 읽어 안전하지 못한 인코딩 알고리즘을 사용하는 코드를 디코딩하고 이 비밀번호를 사용하여 데이터베이스에 연결합니다.


...
RegQueryValueEx(hkey, TEXT(.SQLPWD.), NULL,
                NULL, (LPBYTE)password64, &size64);
Base64Decode(password64, size64, (BYTE*)password, &size);
rc = SQLConnect(*hdbc, server, SQL_NTS, uid,
                SQL_NTS, password, SQL_NTS);
...


이 코드는 성공적으로 실행되지만 암호 저장에 사용된 레지스트리 키에 액세스할 수 있는 모든 사용자는 password64 값을 읽고 값이 base64로 인코딩되었다는 것을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Windows Data Protection Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 261
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cpp.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽고 이 암호를 사용하여 데이터베이스에 연결합니다.


...
01  RECORDX.
     05  UID              PIC X(10).
     05  PASSWORD         PIC X(10).
     05  LEN              PIC S9(4) COMP.
...
EXEC CICS
  READ
  FILE('CFG')
  INTO(RECORDX)
  RIDFLD(ACCTNO)
  ...
END-EXEC.

CALL "g_base64_decode_inplace" using
   BY REFERENCE PASSWORD
   BY REFERENCE LEN
   ON EXCEPTION
       DISPLAY "Requires GLib library" END-DISPLAY
END-CALL.

EXEC SQL
  CONNECT :UID
  IDENTIFIED BY :PASSWORD
END-EXEC.
...


이 코드는 올바로 실행되지만 CFG에 액세스할 수 있는 모든 사용자는 암호 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cobol.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
암호 관리 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 암호 관리 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 JSON 파일에서 암호를 읽고 이 암호를 사용하여 요청의 권한 부여 헤더를 설정합니다.


...
file, _ := os.Open("config.json")
decoder := json.NewDecoder(file)
decoder.Decode(&values)
password := base64.StdEncoding.DecodeString(values.Password)

request.SetBasicAuth(values.Username, password)
...


이 코드는 올바로 실행되지만 config.json에 액세스할 수 있는 모든 사용자는 password의 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.golang.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽어 이 암호를 사용하여 데이터베이스에 연결합니다.


...
Properties prop = new Properties();
prop.load(new FileInputStream("config.properties"));
String password = Base64.decode(prop.getProperty("password"));

DriverManager.getConnection(url, usr, password);
...


이 코드는 올바로 실행되지만 config.properties에 액세스할 수 있는 모든 사용자는 password 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.

모바일 환경에서는 장치 분실 위험이 높기 때문에 암호 관리가 특히 중요합니다.
예제 2: 다음 코드는 Android WebView 저장소에서 사용자 이름과 암호를 읽은 다음 보호된 페이지를 보기 위한 인증을 설정하는 데 사용합니다.

...
webview.setWebViewClient(new WebViewClient() {
  public void onReceivedHttpAuthRequest(WebView view,
        HttpAuthHandler handler, String host, String realm) {
    String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
    String username = new String(Base64.decode(credentials[0], DEFAULT));
    String password = new String(Base64.decode(credentials[1], DEFAULT));
    handler.proceed(username, password);
  }
});
...


WebView 자격 증명은 기본적으로 일반 텍스트로 저장되고 해시되지 않습니다. 따라서 사용자가 루팅된 장치나 에뮬레이터를 사용하는 경우 지정된 사이트에 저장된 암호를 읽을 수 있습니다.
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 261
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 하드코드된 비밀번호를 사용하여 응용 프로그램에 연결하고 주소록 항목을 검색합니다.


...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','tiger');
...


이 코드는 성공적으로 실행되지만 코드를 포함하는 웹 페이지에 액세스하는 사람은 누구나 암호를 볼 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.javascript.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 plist 파일에서 암호를 읽고, 암호로 보호되는 파일의 압축을 풀 때 이 암호를 사용합니다.

...
NSDictionary *dict= [NSDictionary dictionaryWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"Config" ofType:@"plist"]];
NSString *encoded_password = [dict valueForKey:@"encoded_password"];
NSData *decodedData = [[NSData alloc] initWithBase64EncodedString:encoded_password options:0];
NSString *decodedString = [[NSString alloc] initWithData:decodedData encoding:NSUTF8StringEncoding];
[SSZipArchive unzipFileAtPath:zipPath toDestination:destPath overwrite:TRUE password:decodedString error:&error];
...


이 코드는 올바로 실행되지만 Config.plist 파일에 액세스할 수 있는 모든 사용자는 encoded_password의 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다.

모바일 환경에서는 장치 분실 위험이 높기 때문에 암호 관리가 특히 중요합니다.
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 261
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽고 이 암호를 사용하여 데이터베이스에 연결합니다.


...
$props = file('config.properties', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$password = base64_decode($props[0]);

$link = mysql_connect($url, $usr, $password);
if (!$link) {
    die('Could not connect: ' . mysql_error());
}
...


이 코드는 올바로 실행되지만 config.properties에 액세스할 수 있는 모든 사용자는 password 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.php.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽고 이 암호를 사용하여 데이터베이스에 연결합니다.


...
props = os.open('config.properties')
password = base64.b64decode(props[0])

link = MySQLdb.connect (host = "localhost",
                           user = "testuser",
                           passwd = password,
                           db = "test")
...


이 코드는 올바로 실행되지만 config.properties에 액세스할 수 있는 모든 사용자는 password 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.python.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 구성 파일 또는 기타 데이터 저장소에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 환경 변수에서 비밀번호를 읽어 안전하지 못한 인코딩 알고리즘으로 비밀번호를 디코딩하고 이 비밀번호를 사용하여 데이터베이스에 연결합니다.


require 'pg'
require 'base64'
...
passwd = Base64.decode64(ENV['PASSWD64'])
...
conn = PG::Connection.new(:dbname => "myApp_production", :user => username, :password => passwd, :sslmode => 'require')



이 코드는 성공적으로 실행되지만 암호를 저장하는 데 사용되는 환경 변수에 액세스할 수 있는 모든 사용자는 PASSWD64의 값을 읽고 해당 값이 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.ruby.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
암호 관리 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 암호 관리 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽고 이 암호를 사용하여 데이터베이스에 연결합니다.


...
val prop = new Properties();
prop.load(new FileInputStream("config.properties"));
val password = Base64.decode(prop.getProperty("password"));

DriverManager.getConnection(url, usr, password);
...


이 코드는 올바로 실행되지만 config.properties에 액세스할 수 있는 모든 사용자는 password의 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 접근 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.scala.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 plist 파일에서 암호를 읽고, 암호로 보호되는 파일의 압축을 풀 때 이 암호를 사용합니다.

...
var myDict: NSDictionary?
if let path = NSBundle.mainBundle().pathForResource("Config", ofType: "plist") {
    myDict = NSDictionary(contentsOfFile: path)
}
if let dict = myDict {
    let password = base64decode(dict["encoded_password"])
    zipArchive.unzipOpenFile(zipPath, password:password])
}
...


이 코드는 올바로 실행되지만 Config.plist 파일에 액세스할 수 있는 모든 사용자는 encoded_password의 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다.

모바일 환경에서는 장치 분실 위험이 높기 때문에 암호 관리가 특히 중요합니다.
References
[1] SQLCipher.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 261
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[16] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[18] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[19] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
암호 관리 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 암호 관리 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.

예제 1: 다음 Linux 섀도 파일에는 약한 암호화 알고리즘 DES를 사용하는 암호가 포함되어 있습니다.


...
root:qFio7llfVKk.s:19033:0:99999:7:::
...


DES 알고리즘은 약한 것으로 판명되었으며 며칠 만에 무차별 대입 공격을 받을 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.regex.universal.password_management_weak_cryptography
Abstract
암호를 안전하지 못한 인코딩으로 감추는 것으로는 암호를 보호할 수 없습니다.
Explanation
Password Management 이슈는 암호를 응용 프로그램의 속성 또는 구성 파일에 일반 텍스트로 저장할 때 발생합니다. 프로그래머는 base64 인코딩과 같은 인코딩 함수로 암호를 숨겨 Password Management 문제를 해결하려고 하지만 이런 노력으로는 암호를 제대로 보호할 수 없습니다.
예제 1: 다음 코드는 속성 파일에서 암호를 읽고 이 암호를 사용하여 데이터베이스에 연결합니다.


...
...
Private Declare Function GetPrivateProfileString _
  Lib "kernel32" Alias "GetPrivateProfileStringA" _
  (ByVal lpApplicationName As String, _
  ByVal lpKeyName As Any, ByVal lpDefault As String, _
  ByVal lpReturnedString As String, ByVal nSize As Long, _
  ByVal lpFileName As String) As Long
...
Dim password As String
...
password = StrConv(DecodeBase64(GetPrivateProfileString("MyApp", "Password", _
  "", value, Len(value), _
   App.Path & "\" & "Config.ini")), vbUnicode)
...
con.ConnectionString = "Driver={Microsoft ODBC for Oracle};Server=OracleServer.world;Uid=scott;Passwd=" & password &";"
...



이 코드는 올바로 실행되지만 Config.ini에 액세스할 수 있는 모든 사용자는 Password 값을 읽고 base64로 인코딩된 값임을 쉽게 알 수 있습니다. 비양심적인 직원이 이 정보에 대한 액세스 권한을 갖게 되면 이를 사용하여 시스템에 침입할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 261
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SC-28 Protection of Information at Rest
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.3 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.3 Algorithms (L2 L3), 6.2.4 Algorithms (L2 L3), 6.2.5 Algorithms (L2 L3), 6.2.6 Algorithms (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[15] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[17] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[18] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[19] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[20] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[21] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.vb.password_management_weak_cryptography

Password Management: Weak Redundancy

Abstract
암호 확인 시에는 암호를 복사하는 대신 새 암호를 두 번 입력해야 합니다.
Explanation
암호를 변경하거나 새 사용자 계정을 생성하려면 일반적으로 확인을 위해 새 암호를 두 번 입력해야 합니다. 암호를 두 번 전달하는 대신 복사한 암호를 전달하면 사용자가 암호를 잘못 입력하지 않았는지를 API가 확인할 수 없으므로 안전을 위한 암호 확인 메커니즘을 우회하게 됩니다.

예제 1:

    String password=request.getParameter("password");
    ...
    DefaultUser user = (DefaultUser) ESAPI.authenticator().createUser(username, password, password);
References
[1] OWASP ESAPI Secure Coding API: User
[2] Standards Mapping - Common Weakness Enumeration CWE ID 521
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - FIPS200 IA
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.1.11 Password Security Requirements (L1 L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 6.5.4, Requirement 6.5.6, Requirement 8.3.1
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective 7 - Use of Cryptography, Control Objective C.2.1.2 - Web Software Access Controls
desc.structural.java.password_management_weak_redundancy

Path Manipulation

Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 파일에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다.


...
*Get the report that is to be deleted
r_name = request->get_form_field( 'report_name' ).
CONCATENATE `C:\\users\\reports\\` r_name INTO dsn.
DELETE DATASET dsn.
...


공격자가 "..\\..\\usr\\sap\\DVEBMGS00\\exe\\disp+work.exe" 등의 파일 이름을 지정하면 응용 프로그램이 중요 파일을 삭제하게 되므로 SPS 시스템이 즉시 중단됩니다.

예제 2: 다음 코드는 사용자가 지정한 모든 날짜의 송장에 대한 세부 내용을 표시합니다.


...
PARAMETERS: p_date TYPE string.

*Get the invoice file for the date provided
CALL FUNCTION 'FILE_GET_NAME'
  EXPORTING
    logical_filename        = 'INVOICE'
    parameter_1             = p_date
  IMPORTING
    file_name               = v_file
  EXCEPTIONS
    file_not_found          = 1
    OTHERS                  = 2.
IF sy-subrc <> 0.
* Implement suitable error handling here
ENDIF.

OPEN DATASET v_file FOR INPUT IN TEXT MODE.

DO.
  READ DATASET v_file INTO v_record.
  IF SY-SUBRC NE 0.
    EXIT.
  ELSE.
    WRITE: / v_record.
  ENDIF.
ENDDO.
...


공격자가 유효한 날짜 대신 "..\\..\\usr\\sap\\sys\\profile\\default.pfl" 등의 문자열을 지정하면 응용 프로그램은 모든 기본 SAP 응용 프로그램 서버 매개 변수 설정을 노출시키고, 이는 더욱 치밀한 공격으로 이어질 수 있습니다.
References
[1] SAP OSS Notes 1497003, 1543851, 177702 and related ones.
[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.abap.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var rName:String = String(params["reportName"]);
var rFile:File = new File("/usr/local/apfr/reports/" + rName);
...
rFile.deleteFile();
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 "디버그" 콘솔 또는 로그 파일에 씁니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
fs.readBytes(arr);
trace(arr);
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.actionscript.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예제 1: 다음 Visualforce 작업 메서드는 사용자의 입력을 사용하여 정적 리소스에 액세스합니다.


public class MyController {
    ...
    public PageRerference loadRes() {
        PageReference ref = ApexPages.currentPage();
        Map<String,String> params = ref.getParameters();
        if (params.containsKey('resName')) {
            if (params.containsKey('resPath')) {
                return PageReference.forResource(params.get('resName'), params.get('resPath'));
            }
        }
        return null;
    }
}


프로그래머는 공격자가 리소스 이름과 경로를 조작하여 공개용이 아닌 리소스에 액세스할 수 있는 가능성을 고려하지 않았습니다.
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.apex.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "..\\..\\Windows\\System32\\krnl386.exe" 등의 파일 이름을 제공하여 응용 프로그램이 중요한 Windows 시스템 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


String rName = Request.Item("reportName");
...
File.delete("C:\\users\\reports\\" + rName);
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 충분한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 ".txt"인 파일을 읽을 수 있습니다.


sr = new StreamReader(resmngr.GetString("sub")+".txt");
while ((line = sr.ReadLine()) != null) {
Console.WriteLine(line);
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dotnet.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 CGI 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../apache/conf/httpd.conf" 등의 파일 이름을 제공하여 응용 프로그램이 지정한 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


char* rName = getenv("reportName");
...
unlink(rName);
예제 2: 다음 코드는 명령줄의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 충분한 권한으로 실행되고 악의적인 사용자가 파일에 대한 소프트 링크를 만들게 되면 프로그램을 이용하여 시스템의 모든 파일의 첫 부분을 읽을 수 있습니다.


ifstream ifs(argv[0]);
string s;
ifs >> s;
cout << s;
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cpp.path_manipulation
Abstract
사용자 입력이 파일 작업에 사용되는 파일 리소스 이름을 제어하는 것을 허용하면 공격자가 응용 프로그램이 의도하지 않은 데이터 집합에 접근하거나 이를 수정할 수 있습니다.
Explanation
CICS에서 Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 CICS 파일 작업에 사용되는 파일 리소스(FCT) 이름을 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 무단으로 접근할 수 있습니다.

예를 들어 공격자는 프로그램을 악용하여 응용 프로그램이 일반적으로 액세스하지 않는 CICS 지역에 대해 구성된 데이터를 읽거나 쓸 수 있습니다.
예제 1: 다음 코드는 HTML 형식에서 입력을 사용하여 파일의 기록을 업데이트하거나 삭제할 수 있습니다.


...
EXEC CICS
  WEB READ
  FORMFIELD(FILE)
  VALUE(FILENAME)
  ...
END-EXEC.

EXEC CICS
  READ
  FILE(FILENAME)
  INTO(RECORD)
  RIDFLD(ACCTNO)
  UPDATE
  ...
END-EXEC.
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cobol.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 웹 폼의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "..\\..\\Windows\\System32\\krnl386.exe" 등의 파일 이름을 제공하여 응용 프로그램이 중요한 Windows 시스템 파일을 삭제하게 만들 가능성을 고려하지 않았습니다. 


<cffile action = "delete"
       file = "C:\\users\\reports\\#Form.reportName#">
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cfml.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어할 수 있으면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
예제 1: 다음 예에서는 파일을 안전하지 않은 방식으로 삭제합니다.


  final server = await HttpServer.bind('localhost', 18081);
  server.listen((request) async {
    final headers = request.headers;
    final path = headers.value('path');
    File(path!).delete();
  }
Example 1에서는 파일에 대한 삭제 기능을 수행하기 전에 headers.value('path')의 유효성을 검사하지 않습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[19] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[21] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[22] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[23] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[24] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[26] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[40] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[41] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dart.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


    rName := "/usr/local/apfr/reports/" + req.FormValue("fName")

    rFile, err := os.OpenFile(rName, os.O_RDWR|os.O_CREATE, 0755)

    defer os.Remove(rName);
    defer rFile.Close()
    ...
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


    ...
    config := ReadConfigFile()

    filename := config.fName + ".txt";
    data, err := ioutil.ReadFile(filename)

    ...

    fmt.Println(string(data))
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.golang.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);


모바일 환경에서는 Path manipulation과 같은 전형적인 취약성이 발생하지 않는다고 생각하는 사용자도 있습니다. 자기 자신을 공격하는 사용자는 없을 것이라 여기기 때문입니다. 그러나 모바일 플랫폼의 핵심 요소는 다양한 소스에서 다운로드되어 같은 장치에서 함께 실행되는 응용 프로그램이라는 점을 유념해야 합니다. 즉 금융 응용 프로그램과 맬웨어를 함께 실행할 가능성이 높으므로 프로세스 간 통신을 포함하도록 모바일 응용 프로그램의 공격 표면을 확장해야 합니다.

예제 3: 다음 코드는 Example 1을 Android 플랫폼에 맞게 조정합니다.


...
        String rName = this.getIntent().getExtras().getString("reportName");
	File rFile = getBaseContext().getFileStreamPath(rName);
...
	rFile.delete();
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.java.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


...
var reportNameParam = "reportName=";
var reportIndex = document.indexOf(reportNameParam); 
if (reportIndex < 0) return; 
var rName = document.URL.substring(reportIndex+reportNameParam.length);
window.requestFileSystem(window.TEMPORARY, 1024*1024, function(fs) {
  fs.root.getFile('/usr/local/apfr/reports/' + rName, {create: false}, function(fileEntry) {
    fileEntry.remove(function() {
      console.log('File removed.');
    }, errorHandler);

  }, errorHandler);
}, errorHandler);
예제 2: 다음 코드는 로컬 저장소의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려보냅니다. 악의적인 사용자가 로컬 저장소의 내용을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


...
var filename = localStorage.sub + '.txt';
function oninit(fs) {
  fs.root.getFile(filename, {}, function(fileEntry) {
    fileEntry.file(function(file) {
       var reader = new FileReader();
       reader.onloadend = function(e) {
         var txtArea = document.createElement('textarea');
         txtArea.value = this.result;
         document.body.appendChild(txtArea);
       };
       reader.readAsText(file);
    }, errorHandler);
  }, errorHandler);
}

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.javascript.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


val rName: String = request.getParameter("reportName")
val rFile = File("/usr/local/apfr/reports/$rName")
...
rFile.delete()
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


fis = FileInputStream(cfg.getProperty("sub").toString() + ".txt")
amt = fis.read(arr)
out.println(arr)


모바일 환경에서는 Path manipulation과 같은 전형적인 취약성이 발생하지 않는다고 생각하는 사용자도 있습니다. 자기 자신을 공격하는 사용자는 없을 것이라 여기기 때문입니다. 그러나 모바일 플랫폼의 핵심 요소는 다양한 소스에서 다운로드되어 같은 장치에서 함께 실행되는 응용 프로그램이라는 점을 유념해야 합니다. 즉 금융 응용 프로그램과 맬웨어를 함께 실행할 가능성이 높으므로 프로세스 간 통신을 포함하도록 모바일 응용 프로그램의 공격 표면을 확장해야 합니다.

예제 3: 다음 코드는 Example 1을 Android 플랫폼에 맞게 조정합니다.


...
        val rName: String = getIntent().getExtras().getString("reportName")
        val rFile: File = getBaseContext().getFileStreamPath(rName)
...
        rFile.delete()
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.kotlin.path_manipulation
Abstract
공격자는 파일 시스템 경로 인수를 제어할 수 있습니다. 그렇지 않을 때 보호할 수 있는 파일을 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 사용자의 입력을 사용하여 파일 경로를 생성합니다. 프로그래머는 공격자가 다른 파일 이름을 제공하여 응용 프로그램이 의도하지 않은 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


- (NSData*) testFileManager {

    NSString *rootfolder = @"/Documents/";
    NSString *filePath = [rootfolder stringByAppendingString:[fileName text]];

    NSFileManager *fm = [NSFileManager defaultManager];
    return [fm contentsAtPath:filePath];
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.objc.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


$rName = $_GET['reportName'];
$rFile = fopen("/usr/local/apfr/reports/" . rName,"a+");
...
unlink($rFile);
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


...
$filename = $CONFIG_TXT['sub'] . ".txt";
$handle = fopen($filename,"r");
$amt = fread($handle, filesize($filename));
echo $amt;
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.php.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


rName = req.field('reportName')
rFile = os.open("/usr/local/apfr/reports/" + rName)
...
os.unlink(rFile);
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


...
filename = CONFIG_TXT['sub'] + ".txt";
handle = os.open(filename)
print handle
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.python.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


rName = req['reportName']
File.delete("/usr/local/apfr/reports/#{rName}")
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


...
fis = File.new("#{cfg.getProperty("sub")}.txt")
amt = fis.read
puts amt
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.ruby.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "../../tomcat/conf/server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


def readFile(reportName: String) = Action { request =>
    val rFile = new File("/usr/local/apfr/reports/" + reportName)
    ...
    rFile.delete()
}
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


val fis = new FileInputStream(cfg.getProperty("sub")+".txt")
val amt = fis.read(arr)
out.println(arr)
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.scala.path_manipulation
Abstract
공격자는 파일 시스템 경로 인수를 제어할 수 있습니다. 그렇지 않을 때 보호할 수 있는 파일을 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 사용자의 입력을 사용하여 파일 경로를 생성합니다. 프로그래머는 공격자가 다른 파일 이름을 제공하여 응용 프로그램이 의도하지 않은 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


func testFileManager() -> NSData {
    let filePath : String = "/Documents/\(fileName.text)"
    let fm : NSFileManager = NSFileManager.defaultManager()
    return fm.contentsAtPath(filePath)
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.swift.path_manipulation
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 접근하거나 수정할 수 있습니다.
Explanation
Path manipulation 오류는 다음 두 가지 조건을 만족할 때 발생합니다.

1. 공격자가 파일 시스템상의 작업에 사용되는 경로를 지정할 수 있습니다.

2. 공격자가 리소스를 지정하여 다른 방법으로는 허용되지 않는 권한을 얻습니다.

예를 들어, 프로그램이 공격자에게 지정한 파일을 덮어쓰거나 공격자가 제어하는 구성으로 실행할 수 있는 권한을 주는 것입니다.
예제 1: 다음 코드는 HTTP 요청의 입력을 사용하여 파일 이름을 만듭니다. 프로그래머는 공격자가 "..\conf\server.xml" 등의 파일 이름을 제공하여 응용 프로그램이 자신의 구성 파일을 삭제하게 만들 가능성을 고려하지 않았습니다.


Dim rName As String
Dim fso As New FileSystemObject
Dim rFile as File
Set rName = Request.Form("reportName")
Set rFile = fso.GetFile("C:\reports\" & rName)
...
fso.DeleteFile("C:\reports\" & rName)
...
예제 2: 다음 코드는 구성 파일의 입력을 사용하여 열 파일을 결정하고 사용자에게 돌려 보냅니다. 프로그램이 일정한 권한으로 실행되고 악의적인 사용자가 구성 파일을 변경할 수 있는 경우, 이 프로그램을 사용하여 시스템에서 확장명이 .txt인 파일을 읽을 수 있습니다.


Dim fileName As String
Dim tsContent As String
Dim ts As TextStream
Dim fso As New FileSystemObject

fileName = GetPrivateProfileString("MyApp", "sub", _
  "", value, Len(value), _
   App.Path & "\" & "Config.ini")
...
Set ts = fso.OpenTextFile(fileName,1)
tsContent = ts.ReadAll
Response.Write tsContent
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.vb.path_manipulation

Path Manipulation: Base Path Overwriting

Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 그렇지 않을 때 보호할 수 있는 시스템 리소스에 공격자가 액세스하거나 수정할 수 있습니다.
Explanation
Path.Combine은 여러 파일 경로를 인수로 사용합니다. 일반적으로 파일에 대한 read() 또는 write() 호출 후에 여러 파일 경로를 연결하여 하나의 전체 경로를 가져옵니다. 첫 번째 또는 나머지 매개 변수가 절대 경로인지 여부에 따라 서로 다른 여러 시나리오가 설명서에 설명되어 있습니다. 두 번째 또는 나머지 매개 변수가 절대 경로인 경우 Path.Combine()은 해당 절대 경로를 반환합니다. 이전 매개 변수는 무시됩니다. 이 경우 다음 예제와 유사한 코드가 있는 응용 프로그램에서 심각한 영향이 발생합니다.


예제 1: 다음 코드는 사용자가 제어하는 경로 요소가 있는 파일을 안전하지 않게 로드합니다.


  // Called with user-controlled data
  public static bytes[] getFile(String filename) 
  {
    String imageDir = "\\FILESHARE\images\";
    filepath = Path.Combine(imageDir, filename);
    return File.ReadAllBytes(filepath);
  }


공격자는 절대 경로(예: C:\\inetpub\wwwroot\web.config)를 제공하여 응용 프로그램이 반환하는 파일을 제어할 수 있습니다.
References
[1] Editorial Team Path.Combine Security Issues in ASP.NET Applications
[2] Microsoft Path.Combine Method
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dotnet.path_manipulation_base_path_overwriting

Path Manipulation: Zip Entry Overwrite

Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어할 수 있으면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


...

  " Add Binary File to
  CALL METHOD lr_abap_zip->add
    EXPORTING
      name    = p_ifile
      content = lv_bufferx.

    " Read Binary File to
  CALL METHOD lr_abap_zip->get
    EXPORTING
      name    = p_ifile
    IMPORTING 
      content = lv_bufferx2.

...
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 p_ifile 검증을 수행하지 않습니다. ZIP 파일이 Unix 기반 컴퓨터의 “/tmp/” 디렉터리에 원래 배치되었고 ZIP 항목이 “../etc/hosts”이며 응용 프로그램이 필요한 권한으로 실행되는 경우 이 파일이 시스템 hosts 파일을 덮어씁니다. 그러면 공격자는 컴퓨터의 트래픽을 공격자 컴퓨터로 다시 보내는 등 원하는 모든 위치로 전송할 수 있습니다.
References
[1] Protecting ABAP code against Directory Traversal Attacks SAP
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.abap.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


    public static void UnzipFile(ZipArchive archive, string destDirectory)
    {
        foreach (var entry in archive.Entries)
        {
            string file = entry.FullName;
            if (!string.IsNullOrEmpty(file))
            {
                string destFileName = Path.Combine(destDirectory, file);
                entry.ExtractToFile(destFileName, true);

            }
        }
    }
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 작업을 수행하기 전에 entry.FullName 검증을 수행하지 않습니다. ZIP 파일이 원래 “C:\TEMP” 디렉터리에 위치하고 ZIP 항목 이름에 “..\ 세그먼트”가 포함되었으며 응용 프로그램이 필요한 권한으로 실행된 경우 시스템 파일을 임의로 덮어쓸 수 있습니다.
References
[1] How to: Compress and extract files Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dotnet.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어할 수 있으면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


func Unzip(src string, dest string) ([]string, error) {
    var filenames []string
    r, err := zip.OpenReader(src)
    if err != nil {
        return filenames, err
    }
    defer r.Close()

    for _, f := range r.File {
        // Store filename/path for returning and using later on
        fpath := filepath.Join(dest, f.Name)

        filenames = append(filenames, fpath)

        if f.FileInfo().IsDir() {
            // Make Folder
            os.MkdirAll(fpath, os.ModePerm)
            continue
        }
        
        // Make File
        if err = os.MkdirAll(filepath.Dir(fpath), os.ModePerm); err != nil {
            return filenames, err
        }

        outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
        if err != nil {
            return filenames, err
        }
    
        rc, err := f.Open()
        if err != nil {
            return filenames, err
        }

        _, err = io.Copy(outFile, rc)

        // Close the file without defer to close before next iteration of loop
        outFile.Close()
        rc.Close()

        if err != nil {
            return filenames, err
        }
    }
    return filenames, nil
}
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 f.Name 검증을 수행하지 않습니다. ZIP 파일이 Unix 기반 컴퓨터의 “/tmp/” 디렉터리에 원래 배치되었고 ZIP 항목이 “../etc/hosts”이며 응용 프로그램이 필요한 권한으로 실행되는 경우 이 파일이 시스템 hosts 파일을 덮어씁니다. 그러면 공격자는 컴퓨터의 트래픽을 공격자 컴퓨터로 다시 보내는 등 원하는 모든 위치로 전송할 수 있습니다.
References
[1] Unzip Files in Go
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.golang.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템의 모든 위치에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


  private static final int BUFSIZE = 512;
  private static final int TOOBIG = 0x640000;
  ...
  public final void unzip(String filename) throws IOException {
    FileInputStream fis = new FileInputStream(filename);
    ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis));
    ZipEntry zipEntry = null;

    int numOfEntries = 0;
    long total = 0;

    try {
      while ((zipEntry = zis.getNextEntry()) != null) {
        byte data[] = new byte[BUFSIZE];
        int count = 0;
        String outFileName = zipEntry.getName();
        if (zipEntry.isDirectory()){
          new File(outFileName).mkdir(); //create the new directory
          continue;
        }
        FileOutputStream outFile = new FileOutputStream(outFileName);
        BufferedOutputStream dest = new BufferedOutputStream(outFile, BUFSIZE);
        //read data from Zip, but do not read huge entries
        while (total + BUFSIZE <= TOOBIG && (count = zis.read(data, 0, BUFSIZE)) != -1) {
          dest.write(data, 0, count);
          total += count;
        }
        ...
      }
    } finally{
      zis.close();
    }
  }
  ...
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 zipEntry.getName() 검증을 수행하지 않습니다. ZIP 파일이 Unix 기반 컴퓨터의 “/tmp/” 디렉터리에 원래 배치되었고 ZIP 항목이 “../etc/hosts”이며 응용 프로그램이 필요한 권한으로 실행되는 경우 이 파일이 시스템 hosts 파일을 덮어씁니다. 그러면 공격자는 컴퓨터의 트래픽을 공격자 컴퓨터로 다시 보내는 등 원하는 모든 위치로 전송할 수 있습니다.
References
[1] IDS04-J. Safely extract files from ZipInputStream CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.java.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


var unzipper = require('unzipper');
var fs = require('fs');

var untrusted_zip = getZipFromRequest();
fs.createReadStream(zipPath).pipe(unzipper.Extract({ path: 'out' }));
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.structural.javascript.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


    ZZArchive* archive = [ZZArchive archiveWithURL:[NSURL fileURLWithPath: zipPath] error:&error];
    for (ZZArchiveEntry* entry in archive.entries) {
        NSString *fullPath = [NSString stringWithFormat: @"%@/%@", destPath, [entry fileName]];
        [[entry newDataWithError:nil] writeToFile:newFullPath atomically:YES];
    }
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 entry.fileName 검증을 수행하지 않습니다. ZIP 파일이 iOS 응용 프로그램의 “Documents/hot_patches” 디렉터리에 원래 배치되었고 ZIP 항목이 “../js/page.js”인 경우 page.js 파일을 덮어씁니다. 이로 인해 공격자는 코드 실행을 야기할 수 있는 악성 코드를 삽입할 수 있게 됩니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.objc.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업의 경로를 제어할 수 있으면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 추출하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


...
$zip = new ZipArchive();
$zip->open("userdefined.zip", ZipArchive::RDONLY);
$zpm = $zip->getNameIndex(0);
$zip->extractTo($zpm);
...
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 f.Name 검증을 수행하지 않습니다. ZIP 파일이 Unix 기반 컴퓨터의 “/tmp/” 디렉터리에 있고 ZIP 항목이 “../etc/hosts”이며 응용 프로그램이 필요한 권한으로 실행되는 경우 이 파일이 시스템 hosts 파일을 덮어씁니다. 그러면 공격자는 컴퓨터의 트래픽을 공격자 컴퓨터로 다시 보내는 등 원하는 모든 위치로 전송할 수 있습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.php.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


import zipfile
import tarfile

def unzip(archive_name):
    zf = zipfile.ZipFile(archive_name)
    zf.extractall(".")
    zf.close()

def untar(archive_name):
    tf = tarfile.TarFile(archive_name)
    tf.extractall(".")
    tf.close()
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.python.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


import better.files._

...

val zipPath: File = getUntrustedZip()
val destinationPath = file"out/dest"
zipPath.unzipTo(destination = destinationPath)
예제 2: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


import better.files._

...

val zipPath: File = getUntrustedZip()
val destinationPath = file"out/dest"
zipPath.newZipInputStream.mapEntries( (entry : ZipEntry) => {
    entry.extractTo(destinationPath, new FileInputStream(entry.getName))
})
Example 2에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 entry.getName 검증을 수행하지 않습니다. ZIP 파일이 Unix 기반 컴퓨터의 “/tmp/” 디렉터리에 원래 배치되었고 ZIP 항목이 “../etc/hosts”이며 응용 프로그램이 필요한 권한으로 실행되는 경우 이 파일이 시스템 hosts 파일을 덮어씁니다. 그러면 공격자는 컴퓨터의 트래픽을 공격자 컴퓨터로 다시 보내는 등 원하는 모든 위치로 전송할 수 있습니다.
References
[1] IDS04-J. Safely extract files from ZipInputStream CERT
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[20] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[22] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[23] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.scala.path_manipulation_zip_entry_overwrite
Abstract
사용자 입력이 파일 시스템 작업에 사용되는 경로를 제어하는 것을 허용하면 공격자가 시스템에서 임의로 파일을 덮어쓸 수 있습니다.
Explanation
Path Manipulation: ZIP 항목의 파일 경로를 확인하지 않고 ZIP 파일을 열어 확장하면 Zip Entry Overwrite 오류가 발생합니다.

예제 1: 다음 예제에서는 ZIP 파일에서 파일을 추출한 다음 안전하지 않은 방식으로 파일을 디스크에 씁니다.


let archive = try ZZArchive.init(url: URL(fileURLWithPath: zipPath))

for entry in archive.entries {
    let fullPath = URL(fileURLWithPath: destPath + "/" + entry.fileName)
    try entry.newData().write(to: fullPath)
}
Example 1에서는 이 항목 내의 데이터에 대한 읽기/쓰기 기능을 수행하기 전에 entry.fileName 검증을 수행하지 않습니다. ZIP 파일이 iOS 응용 프로그램의 “Documents/hot_patches” 디렉터리에 원래 배치되었고 ZIP 항목이 “../js/page.js”인 경우 page.js 파일을 덮어씁니다. 이로 인해 공격자는 코드 실행을 야기할 수 있는 악성 코드를 삽입할 수 있게 됩니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[35] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[36] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[37] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.swift.path_manipulation_zip_entry_overwrite

PCI Privacy Violation

Abstract
고객 암호 또는 주민 등록 번호 등의 개인 정보 취급 부주의는 사용자 개인 정보를 침해할 수 있고 불법인 경우가 있습니다.
Explanation
Privacy violation은 다음 경우에 발생합니다.

1. 사용자 개인 정보가 프로그램에 입력됩니다.

2. 데이터는 콘솔, file system 또는 네트워크와 같은 외부 위치에 작성됩니다.
예제 1: 다음 코드에는 데이터베이스에 추가되는 레코드를 로그 파일의 콘텐트에 저장하여 추적하는 로깅 명령문이 있습니다.


pass = getPassword();
...
dbmsLog.println(id+":"+pass+":"+type+":"+tstamp);
Example 1의 코드는 일반 텍스트 암호를 파일 시스템에 기록합니다. 많은 개발자가 파일 시스템을 안전한 데이터 저장소로 신뢰하지만 무조건 신뢰해서는 안 됩니다. 특히 개인 정보가 관련된 경우가 대표적입니다.

개인 정보는 다음의 두 가지 이유 때문에 모바일 환경에서 크게 대두되는 문제 중 하나입니다. 그중 하나는 장치 분실 가능성이 훨씬 더 높다는 점이고, 다른 하나는 모바일 응용 프로그램 사이에서 프로세스 간 통신이 이뤄진다는 점입니다. 모바일 플랫폼에서는 다양한 소스에서 다운로드된 응용 프로그램이 같은 장치에서 함께 실행됩니다. 즉 금융 응용 프로그램과 맬웨어를 함께 실행할 가능성이 높으므로 응용 프로그램 작성자는 장치에서 실행되는 다른 응용 프로그램으로 주소가 지정된 메시지에 포함하는 정보를 주의하여 선택해야 합니다. 모바일 응용 프로그램 사이에 진행되는 프로세스 간 통신에 민감한 정보를 포함해서는 안 됩니다.

예제 2: 다음 코드는 Android WebView 저장소에서 지정된 사이트의 사용자 이름과 암호를 읽은 다음 등록된 모든 수신자에게 브로드캐스트합니다.

...
webview.setWebViewClient(new WebViewClient() {
  public void onReceivedHttpAuthRequest(WebView view,
        HttpAuthHandler handler, String host, String realm) {
    String[] credentials = view.getHttpAuthUsernamePassword(host, realm);
    String username = credentials[0];
    String password = credentials[1];
    Intent i = new Intent();
    i.setAction("SEND_CREDENTIALS");
    i.putExtra("username", username);
    i.putExtra("password", password);
    view.getContext().sendBroadcast(i);
  }
});
...


이 예는 몇 가지 문제를 보여줍니다. 첫째, WebView 자격 증명은 기본적으로 일반 텍스트로 저장되고 해시되지 않습니다. 사용자가 루팅된 장치나 에뮬레이터를 사용하는 경우 지정된 사이트에 저장된 암호를 읽을 수 있습니다. 둘째, 일반 텍스트 자격 증명은 등록된 모든 수신자에게 브로드캐스트되어 SEND_CREDENTIALS 작업을 통해 인텐트를 수신 대기하도록 등록된 모든 수신자가 메시지를 수신합니다. 이 경우 수정 방법으로 권한을 사용하지 않는 것이 좋지만, 브로드캐스트는 수신자 수를 제한하는 권한으로도 보호되지 않습니다.

개인 정보는 다음과 같은 다양한 방식으로 프로그램에 입력됩니다.

- 암호 또는 개인 정보의 형태로 사용자가 직접 입력

- 응용 프로그램이 데이터베이스 또는 기타 데이터 저장소에서 접근

- 협력업체 또는 타사를 통해 간접적으로

일반적으로 모바일 환경에서 이 개인 정보는 암호, SSN 및 기타 일반 개인 정보에 따라 다음 사항을 포함합니다.

- 위치

- 휴대폰 번호

- 일련번호 및 장치 ID

- 네트워크 연산자 정보

- 보이스메일 정보


개인 정보로 명명되지 않은 데이터도 상황에 따라 개인 정보로 해석될 수 있습니다. 예를 들어, 학생 ID 번호는 명시적이고 공개적으로 각 학생의 개인 정보에 매핑되지 않기 때문에 보통 개인 정보로 간주하지 않습니다. 하지만 학교에서 학생의 주민 등록 번호를 기반으로 ID 번호를 생성하는 경우 ID 번호는 개인 정보로 간주해야 합니다.

보안 및 개인 정보 문제는 서로 상충하는 것처럼 보일 때가 있습니다. 보안 관점에서 보면 이후에 비정상적인 활동을 식별할 수 있도록 모든 중요한 작업을 기록해야 합니다. 하지만 개인 정보가 관련된 경우 이 방법은 위험이 따릅니다.

개인 정보를 위험하게 처리하는 방법은 여러 가지가 있겠지만 공통적인 위험은 잘못된 신뢰에서 비롯됩니다. 프로그래머는 프로그램이 실행되는 운영 환경을 신뢰하기 때문에 개인 정보를 파일 시스템, 레지스트리 또는 기타 로컬로 제어되는 리소스에 저장해도 무방하다고 생각합니다. 하지만 특정 리소스에 대한 액세스가 제한되어 있는 경우에도 액세스 권한을 가진 개인을 신뢰할 수 있다고 보장할 수 없습니다. 일례로, 2004년, AOL의 한 비양심적인 직원이 해외 도박 웹 사이트를 대상으로 영업하는 스패머에게 약 9천 2백만 개의 고객 전자 메일 주소를 팔았습니다[1].

이런 대형 익스플로이트 사건에 대응하여 개인 정보 수집 및 관리에 대한 규제가 점점 엄격해지고 있습니다. 조직의 위치, 업종 및 취급하는 개인 정보의 속성에 따라 조직은 다음의 연방 정부 및 주 정부의 규제를 하나 이상 준수할 의무가 있습니다.

- 세이프 하버 협정(Safe Harbor Privacy Framework)[3]

- GLBA(Gramm-Leach Bliley Act)[4]

- HIPAA(Health Insurance Portability and Accountability Act)[5]

- California SB-1386 [6]

이런 규제에도 불구하고 privacy violation은 우려할 만한 빈도로 계속 발생하고 있습니다.
References
[1] J. Oates AOL man pleads guilty to selling 92m email addies The Register
[2] Privacy Initiatives U.S. Federal Trade Commission
[3] Safe Harbor Privacy Framework U.S. Department of Commerce
[4] Financial Privacy: The Gramm-Leach Bliley Act (GLBA) Federal Trade Commission
[5] Health Insurance Portability and Accountability Act (HIPAA) U.S. Department of Human Services
[6] California SB-1386 Government of the State of California
[7] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[8] SQLCipher.
[9] FUNDAMENTALS-4: Establish trust boundaries Oracle
[10] CONFIDENTIAL-2: Do not log highly sensitive information Oracle
[11] Standards Mapping - Common Weakness Enumeration CWE ID 359
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[16] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000169
[17] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), AU-12 Audit Generation (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, AU-12 Audit Record Generation
[20] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[23] Standards Mapping - OWASP Mobile 2024 M6 Inadequate Privacy Controls
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[25] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[26] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 6.5.5, Requirement 8.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 8.2.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 8.2.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1, Requirement 8.3.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.1, Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 8.3.1
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.1 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000650 CAT II
[61] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000650 CAT II
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.pci_privacy_violation

Permission Manipulation

Abstract
사용자 입력이 권한을 직접 변경하는 것을 허용하면 공격자가 보호된 시스템 리소스에 접근할 수 있습니다.
Explanation
권한 조작 오류는 공격자가 응용 프로그램 내에서 권한을 결정하는 데 사용되는 값을 수정할 수 있는 경우 발생합니다.

예제 1: 다음 코드는 파일의 입력을 사용하여 응용 프로그램에 필요한 FileIOPermissions를 결정합니다.


...
String permissionsXml = GetPermissionsFromXmlFile();
FileIOPermission perm = new FileIOPermission(PermissionState.None);
perm.FromXml(permissionsXml);
perm.Demand();
...


이 시나리오에서는 사용자가 데이터를 검색하는 데 사용되는 XML 파일을 제어할 수 있는 경우 시스템에서 요구할 수 있는 권한을 제어합니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.3.3 Other Access Control Considerations (L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.permission_manipulation

Permission Manipulation: Logging

Abstract
사용자 입력이 감사를 결정하기 위해 권한을 직접 변경하도록 허용하면 공격자가 해당 작업을 숨길 수 있습니다.
Explanation
권한 조작 로깅 오류는 공격자가 응용 프로그램 내에서 기록될 내용을 결정하는 데 사용되는 권한을 결정하는 데 사용되는 값을 수정할 수 있는 경우 발생합니다. Windows에는 리소스에 대해 액세스가 성공했는지 또는 실패했는지 확인하기 위해 감사해야 하는 사용자 및 그룹을 결정하는 데 사용되는 SACL(시스템 액세스 제어 목록)이 있습니다. 이러한 목록 내에 저장된 ACE(액세스 제어 항목)나 액세스 설정이 공격자에 의해 제어될 수 있는 경우 공격자는 해당 계정 감사를 비활성화할 가능성이 있으므로 공격자가 위반한 작업이 무엇인지 확인하기가 더 어렵게 됩니다.

예제 1: 다음 코드는 사용자가 감사 로그를 생성할 작업을 지정할 수 있도록 합니다.


...
CrytoKeyAuditRule auditRule = new CryptoKeyAuditRule(IdRef, (CryptoKeyRights) input, AuditFlags.Success); 
...


이 시나리오에서는 사용자가 input을 제어할 수 있는 경우 어떤 유형의 작업을 로그할 수 있는지 지정할 수 있습니다. 사용자가 이를 CryptoKeyRights.Delete로 조작할 수 있는 경우 로그되지 않은 상태에서 암호화 키를 읽을 수 있으므로 공격자가 암호화 키를 도용한 사실을 알 수 없습니다.
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 732
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [15] CWE ID 732
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [16] CWE ID 732
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [22] CWE ID 732
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001813, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AU-9 Protection of Audit Information (P1), CM-5 Access Restrictions for Change (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AU-9 Protection of Audit Information, CM-5 Access Restrictions for Change
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.3.3 Other Access Control Considerations (L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 7.3.3 Log Protection Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[13] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 732
[29] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 732
[30] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 732
[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II, APSC-DV-001410 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II, APSC-DV-001410 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001280 CAT II, APSC-DV-001290 CAT II, APSC-DV-001300 CAT II, APSC-DV-001310 CAT II, APSC-DV-001320 CAT II, APSC-DV-001330 CAT II, APSC-DV-001410 CAT II
[47] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.permission_manipulation_logging

PHP Misconfiguration: allow_url_fopen Enabled

Abstract
원격 파일에서 작업을 수행하면 공격자가 악성 콘텐트를 프로그램에 삽입할 수 있습니다.
Explanation
allow_url_fopen 옵션이 활성화되면 HTTP 또는 FTP URL을 사용하여 원격 파일에서 작업을 수행할 파일 이름을 수락하는 PHP 함수를 허용합니다. PHP 4.0.4에서 도입되고 기본적으로 활성화되어 있는 이 옵션은 공격자가 응용 프로그램에 악성 콘텐트를 전송할 수 있기 때문에 위험합니다. 최고의 보안 상태에서 원격 파일 작업을 수행하여도 원격 파일을 수정하여 악성 콘텐트를 포함시키는 공격자에게 응용 프로그램이 취약해집니다. 공격자가 응용 프로그램이 작동하는 URL을 제어할 수 있는 최악의 경우, 공격자는 원격 서버에 URL을 제공하여 임의의 악성 콘텐트를 응용 프로그램에 삽입할 수 있습니다.

예제 1: 다음 코드는 이름이 요청 매개 변수에서 제어되는 파일을 열고 해당 콘텐트를 읽습니다. $file 값이 요청 매개 변수에서 제어되므로 공격자는 URL을 원격 파일에 제공하여 프로그래머의 가정을 위반할 수 있습니다.


<?php
$file = fopen ($_GET["file"], "r");
if (!$file) {
    // handle errors
}
while (!feof ($file)) {
    $line = fgets ($file, 1024);
    // operate on file content
}
fclose($file);
?>
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_allow_url_fopen

PHP Misconfiguration: allow_url_include Enabled

Abstract
원격 파일을 참조하는 include 문을 사용하면 공격자가 악성 콘텐트를 프로그램에 삽입할 수 있습니다.
Explanation
allow_url_include 옵션이 활성화되면 원격 파일에서 HTTP 또는 FTP URL을 수락할 수 있도록 하는 include()require()와 같이 현재 페이지에 포함시킬 파일을 지정하는 PHP 함수를 허용합니다. PHP 5.2.0에서 도입되 기본적으로 비활성화되어 있는 이 옵션은 공격자가 응용 프로그램에 악성 콘텐트를 전송할 수 있기 때문에 위험합니다. 최고의 보안 상태에서 원격 파일 작업을 포함하여도 원격 파일을 수정하여 악성 콘텐트를 포함시키는 공격자에게 응용 프로그램이 취약해집니다. 공격자가 응용 프로그램에서 포함할 원격 파일을 지정하는 데 사용하는 URL을 제어할 수 있는 경우, 공격자는 URL을 원격 서버에 제공하여 임의의 악성 콘텐트를 응용 프로그램에 삽입할 수 있습니다.
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 94
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_allow_url_include

PHP Misconfiguration: cgi.force_redirect Disabled

Abstract
웹에서 사용자가 직접 PHP 인터프리터를 호출할 수 있도록 허용하면 공격자는 권한 검사를 무시하고 서버에서 보호된 파일에 접근할 수 있습니다.
Explanation
PHP 인터프리터가 CGI 바이너리로 설치되면 일반적으로 PHP 리소스에 대한 요청은 인터프리터에 대한 웹 서버에서 리디렉션됩니다. 이 경우, 사용자가 http://www.example.com/content/page.php를 요청하면 먼저 서버는 디렉터리/콘텐트에 대한 필수 access control 검사를 허용한 후 http://www.example.com/cgi-bin/php/content/page.php에 대한 요청을 사용하여 PHP 인터프리터에 대한 제어를 리디렉션합니다.

기본적으로 활성화되어 있는 cgi.force_redirect를 비활성화할 경우, /cgi-bin/php에 대한 접근 권한이 있는 공격자는 PHP 인터프리터에 대한 권한을 사용하여 임의의 웹 문서에 접근하고 서버에서 수행한 access control 검사를 무시하게 됩니다.
References
[1] M. Achour et al. PHP Manual
[2] Standards Mapping - Common Weakness Enumeration CWE ID 305
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[10] Standards Mapping - FIPS200 AC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[19] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_cgi_force_redirect

PHP Misconfiguration: enable_dl Enabled

Abstract
dl을 통한 동적 로드를 사용하여 open_basedir 제한을 우회할 수 있습니다.
Explanation
enable_dl 구성은 라이브러리의 동적 로드를 허용합니다. 공격자는 이를 통해 open_basedir 구성으로 설정된 제한을 우회할 수 있으며 시스템의 모든 파일에 대한 액세스가 허용될 수 있습니다.

enable_dl을 활성화하면 공격자가 다른 취약점을 쉽게 악용할 수 있습니다.
References
[1] M. Achour et al. PHP Manual
[2] Emmanuel Dreyfus Securing Systems with Chroot
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.php.php_misconfiguration_enable_dl

PHP Misconfiguration: file_uploads Enabled

Abstract
사용자에게 파일 업로드에 대한 권한을 부여하면 공격자는 위험한 콘텐트를 삽입하거나 악성 코드를 실행할 수 있습니다.
Explanation
file_uploads 옵션을 활성화하면 PHP 사용자가 임의의 파일을 서버에 업로드할 수 있습니다. 사용자에게 파일 업로드에 대한 권한을 부여하여도 보안 취약점 자체는 나타나지 않습니다. 그러나, 이 기능은 악의적인 사용자가 서버 환경에 데이터를 전송할 수 있는 경로를 제공하므로 다양한 공격이 발생할 수 있습니다.

프로그램을 작성한 언어와 관계 없이 대부분의 파괴적인 공격은 원격 코드 실행과 관련이 있으며 이러한 점을 사용하여 공격자는 프로그램의 컨텍스트에 악성 코드를 실행하는 데 성공합니다. 공격자가 웹에서 접근할 수 있는 디렉터리에 파일을 업로드하여 해당 파일이 PHP 인터프리터에 전달되면 이러한 파일에 포함된 악성 코드가 서버에서 실행될 수 있습니다.

예제1: 다음 코드는 업로드한 파일을 처리하고 웹 루트 아래의 디렉터리로 이동시킵니다. 공격자는 악성 PHP 소스 파일을 이 프로그램에 업로드한 후 바로 서버에서 해당 파일을 요청할 수 있기 때문에 PHP 인터프리터에서 실행될 수 있게 됩니다.


<?php
$udir = 'upload/'; // Relative path under Web root
$ufile = $udir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $ufile)) {
    echo "Valid upload received\n";
} else {
    echo "Invalid upload rejected\n";
} ?>


프로그램이 웹에서 접근할 수 없는 디렉터리 아래에 업로드한 파일을 저장하더라도 공격자는 악성 콘텐트를 서버 환경에 전달할 수 있는 능력을 이용하여 공격에 성공할 수 있습니다. 프로그램이 path manipulation, command injection 또는 remote include 취약점에 취약한 경우, 공격자는 악성 콘텐트가 포함된 파일을 업로드하여 프로그램에서 다른 취약점을 익스플로이트하여 해당 파일을 읽거나 실행할 수 있습니다.
References
[1] M. Achour et al. PHP Manual
[2] Alla Bezroutchko Secure file upload in PHP web applications
[3] Standards Mapping - Common Weakness Enumeration CWE ID 434
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [16] CWE ID 434
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [15] CWE ID 434
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [10] CWE ID 434
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [10] CWE ID 434
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [10] CWE ID 434
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [10] CWE ID 434
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[11] Standards Mapping - FIPS200 CM
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.2.1 File Integrity Requirements (L2 L3), 12.5.2 File Download Requirements (L1 L2 L3), 13.1.5 Generic Web Service Security Verification Requirements (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[20] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[23] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.4 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.php.php_misconfiguration_file_uploads

PHP Misconfiguration: Missing open_basedir Entry

Abstract
PHP 프로그램이 전체 file system에 접근 권한을 제공하면 공격자가 접근할 수 없는 파일을 읽고 쓰거나 만들 수 있습니다.
Explanation
open_basedir 구성 옵션이 있으면 PHP 프로그램이 php.ini에 지정된 디렉터리 트리 외부에서 파일을 조작할 수 없게 됩니다. open_basedir 옵션을 사용하여 지정된 디렉터리가 없는 경우 PHP에서 실행되는 프로그램은 로컬 파일 시스템에 있는 임의의 파일에 대한 전체 액세스 권한을 가지며 공격자는 이를 통해 액세스해서는 안 되는 파일을 읽거나 쓰거나 만들 수 있습니다.

open_basedir을 사용하여 제한적인 디렉터리 집합을 지정하지 않으면 공격자가 다른 취약점을 더 쉽게 악용할 수 있습니다.

open_basedir 옵션이 전반적으로 보안에 이득이 되지만 이 옵션을 구현하면 공격자가 특정 환경에서 해당 제한 사항을 무시할 수 있는 race condition을 겪을 수 있습니다[2]. PHP가 액세스 권한 확인을 수행하는 시간과 파일이 열리는 시간 사이에는 TOCTOU(time-of-check, time-of-use) 경합 조건이 존재합니다. 다른 언어의 파일 시스템 경합 조건과 마찬가지로 이 경합 조건을 통해 공격자는 액세스 제어 검사를 통과하는 파일에 대한 심볼릭 링크를 테스트에 실패할 다른 심볼릭 링크로 교체하여 보호된 파일에 대한 액세스 권한을 얻을 수 있습니다.

이러한 공격에 취약한 시간은 액세스 확인이 수행된 시점부터 파일이 열리는 시점까지의 기간입니다. 호출이 빈번하게 수행되더라도 최신 운영 체제에서는 프로세스가 CPU를 더 이상 사용하지 않을 때까지 얼마만큼의 코드 양이 실행될 것인지를 알 수 없습니다. 공격자는 익스플로이트에 쉽게 성공하기 위해 다양한 수법을 동원하여 기회의 폭<(시간 간격)을 확대하지만 폭이 좁을 때에도 익스플로이트 시도가 성공할 때까지 여러 번 반복합니다.
References
[1] M. Achour et al. PHP Manual
[2] Stefan Esser PHP open_basedir Race Condition Vulnerability
[3] open_basedir Confusion
[4] Artur Maj Securing PHP
[5] Emmanuel Dreyfus Securing Systems with Chroot
[6] Standards Mapping - Common Weakness Enumeration CWE ID 284
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[17] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.php.php_misconfiguration_open_basedir