Reino: Encapsulation

Encapsulamento consiste em traçar limites fortes. Em um navegador web, isso pode significar que seu código para dispositivos móveis não pode ser abusado por outros códigos para dispositivos móveis. No servidor, pode significar a diferenciação entre dados validados e não validados, entre os dados de dois usuários ou entre os dados que os usuários podem ou não acessar.

Hidden Field

Abstract

O programa cria um campo de formulário oculto.

Explanation

Os programadores geralmente confiam no conteúdo de campos ocultos, esperando que os usuários não sejam capazes de visualizar esses campos ou de manipular seu conteúdo. Os invasores violarão essas suposições. Eles vão examinar os valores gravados em campos ocultos e alterá-los ou substituir o conteúdo por dados de ataque.

Exemplo:


  HtmlInputHidden hidden = new HtmlInputHidden();

Se campos ocultos contiverem informações confidenciais, estas serão armazenadas em cache da mesma forma que o restante da página. Isso pode fazer com que informações confidenciais sejam escondidas no cache do navegador sem o conhecimento do usuário.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 472

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002420

[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[5] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[7] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[8] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 642

[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3610 CAT I

[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3610 CAT I

[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3610 CAT I

[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I

[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I

[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I

[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002485 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002485 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002485 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002485 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002485 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002485 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002485 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002485 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002485 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002485 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002485 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002485 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002485 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002485 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002485 CAT I

[31] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[32] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.semantic.dotnet.hidden_field

Abstract

O programa cria um campo de formulário oculto.

Explanation


  Hidden hidden = new Hidden(element);

References

[1] IDS14-J. Do not trust the contents of hidden form fields CERT

[2] Standards Mapping - Common Weakness Enumeration CWE ID 472

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002420

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[8] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[9] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 642

[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3610 CAT I

[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3610 CAT I

[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3610 CAT I

[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I

[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I

[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I

[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I

[17] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002485 CAT I

[18] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002485 CAT I

[19] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002485 CAT I

[20] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002485 CAT I

[21] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002485 CAT I

[22] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002485 CAT I

[23] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002485 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002485 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002485 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002485 CAT I

[27] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002485 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002485 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002485 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002485 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002485 CAT I

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[33] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.semantic.java.hidden_field

Abstract

Um campo de formulário oculto é usado.

Explanation


<input type="hidden">