205 itens encontrados

Vulnerabilidades

.NET Bad Practices: Leftover Debug Code

C#/VB.NET/ASP.NET

Abstract

O código de depuração pode ter efeitos colaterais indesejados na implantação.

Explanation

APIs destinadas apenas para fins de depuração são usadas.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

ADF Bad Practices: Default url-invoke-disallowed Setting

Java/JSP

Abstract

Basear-se em uma configuração implícita url-invoke-disallowed padrão não tem clareza e pode levar a um comportamento indesejado se o padrão mudar inesperadamente.

Explanation

Por padrão, os fluxos de tarefas em um aplicativo Fusion não são diretamente acessíveis a partir de uma solicitação GET: sempre que um URL tenta invocar o fluxo de tarefas, ele recebe um código de status HTTP 403. No entanto, confiar em uma configuração implícita sempre carece de clareza e pode levar a um comportamento indesejado se a configuração padrão for alterada posteriormente.

Exemplo 1: O seguinte trecho de um arquivo de definição de fluxo de tarefas mostra o mesmo fluxo de tarefas definida com a configuração implícita url-invoke-disallowed por padrão.


...
    <task-flow-definition id="password">
        <default-activity>PasswordPrompt</default-activity>
        <view id="PasswordPrompt">
            <page>/PasswordPrompt.jsff</page>
        </view>
        <use-page-fragments/>
    </task-flow-definition>
...

References

[1] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.6.4.How to Call a Bounded Task Flow Using a URL

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[3] Standards Mapping - FIPS200 CM

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[28] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.adf_bad_practices_default_url_invoke_disallowed_setting

ADF Faces Bad Practices: unsecure Attribute

Java/JSP

Abstract

O atributo unsecure especifica uma lista de atributos cujos valores podem ser definidos no cliente.

Explanation

Os valores de atributos para componentes do Oracle ADF Faces podem ser definidos normalmente apenas no servidor. No entanto, vários componentes permitem que o desenvolvedor defina uma lista de atributos que podem ser definidos no cliente. O atributo unsecure desses componentes pode especificar uma lista como essa.

Atualmente, o único atributo que pode aparecer dentro do atributo unsecure é disabled e permite que o cliente defina quais componentes estão habilitados e quais não estão. Nunca é uma boa ideia deixar que o cliente controle os valores de atributos que só devem ser configuráveis no servidor.

Exemplo 1: O código a seguir demonstra um componente inputText que coleta informações de senha do usuário e usa o atributo unsecure.


...
    <af:inputText id="pwdBox"
                  label="#{resources.PWD}"
                  value=""#{userBean.password}
                  unsecure="disabled"
                  secret="true"
                  required="true"/>
...

References

[1] Oracle ADF Faces Tag Reference

[2] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[3] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.structural.java.adf_faces_bad_practices_unsecure_attribute

Android Bad Practices: Encryption Secret Held in Static Field

Java/JSP

Abstract

O aplicativo contém chaves de criptografia em campos de classe estática, permitindo a fácil recuperação por invasores.

Explanation

O armazenamento de chaves de criptografia em campos de classe estática permite a recuperação fácil por uma entidade que pode acessar a memória de processo (por exemplo, dispositivo com raiz) ou despejos de memória de processo (por exemplo, despejos de memória).

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 226

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199

[6] Standards Mapping - FIPS200 IA

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 8.3.6 Sensitive Private Data (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.java.android_bad_practices_encryption_secret_held_in_static_field

Android Bad Practices: Leftover Debug Code

Java/JSP

Abstract

O código de depuração pode afetar o desempenho ou vazar dados confidenciais para um invasor.

Explanation

Uma prática comum de desenvolvimento é adicionar código "back door" (porta dos fundos), projetado especificamente para fins de depuração ou teste, que não se destina a ser enviado ou implantado com o aplicativo. Quando esse tipo de código de depuração é acidentalmente deixado no aplicativo, o aplicativo fica aberto a modos não intencionais de interação. Esses pontos de entrada "back door" criam riscos de segurança, pois não são levados em consideração durante procedimentos de design ou teste e não se enquadram nas condições operacionais esperadas do aplicativo.

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4

[5] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.java.android_bad_practices_leftover_debug_code

Android Bad Practices: Use of File Scheme Cookies

Java/JSP

Abstract

O aplicativo permite que sejam usados cookies para o protocolo file:// que pode ter implicações de segurança indesejáveis.

Explanation

Os cookies são estritamente um mecanismo HTTP, de acordo com a RFC 2109. Não deve haver expectativa razoável de que eles trabalhem para protocolos que não sejam HTTP, incluindo file://. Não está claro qual deve ser seu comportamento e quais regras de compartimentalização de segurança devem ser aplicadas. Por exemplo, os arquivos HTML baixados para o disco local da Internet compartilham os mesmos cookies que qualquer código HTML instalado localmente?

References

[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

desc.semantic.java.android_bad_practices_use_of_file_scheme_cookies

ASP.NET Middleware Out of Order: Default Cookie Configuration

C#/VB.NET/ASP.NET

Abstract

O aplicativo especifica o middleware de diretiva de cookie ASP.NET incorretamente.

Explanation


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[4] Standards Mapping - FIPS200 MP, SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

C#/VB.NET/ASP.NET

Abstract

O aplicativo especifica o middleware de redirecionamento HTTPS ASP.NET padrão incorretamente.

Explanation

O middleware ASP.NET Core que não é adicionado ao pipeline de middleware na ordem correta não funcionará conforme o esperado, deixando um aplicativo aberto a vários problemas de segurança.

Exemplo 1: O método UseHttpsRedirection() adiciona o middleware de redirecionamento HTTPS ao pipeline de middleware, que permite o redirecionamento de solicitações HTTP não seguras para uma solicitação HTTPS segura. Quando especificado na ordem errada, conforme mostrado, nenhum redirecionamento HTTPS significativo ocorrerá antes de processar a solicitação por meio do middleware listado antes do redirecionamento. Isso permitirá que as solicitações HTTP sejam processadas pelo aplicativo antes de serem redirecionadas para a conexão HTTPS segura.


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[8] Standards Mapping - FIPS200 SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[14] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

C#/VB.NET/ASP.NET

Abstract

O aplicativo especifica o middleware de registro em log do ASP.NET Core incorretamente.

Explanation

O middleware ASP.NET Core que não é adicionado ao pipeline de middleware na ordem correta não funcionará conforme o esperado, deixando um aplicativo aberto a vários problemas de segurança.

Exemplo 1: O método UseHttpLogging() adiciona middleware de registro em log HTTP ao pipeline de middleware que permite que os componentes de middleware sejam registrados em log. Quando especificado na ordem errada, conforme mostrado, nenhum middleware adicionado ao pipeline antes da chamada para UseHttpLogging() será registrado em log.


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...

Exemplo 2: O método UseWC3Logging() adiciona o middleware de registro em log do W3C ao pipeline de middleware que permite que os componentes de middleware sejam registrados em log. Quando especificado na ordem errada, conforme mostrado, nenhum middleware adicionado ao pipeline antes da chamada para UseWC3Logging() será registrado em log.


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

C#/VB.NET/ASP.NET

Abstract

A ação do controlador pode se beneficiar de ser restrita a aceitar apenas um dos seguintes verbos HTTP: Post, Put, Patch ou Delete.

Explanation

As ações do controlador ASP.NET MVC que modificam dados gravando, atualizando ou excluindo podem se beneficiar da restrição de aceitar um dos seguintes verbos HTTP: Post, Put, Patch ou Delete. Isso aumenta a dificuldade de falsificação de solicitação entre sites, pois o clique acidental de links não fará com que a ação seja executada.

A ação de controlador a seguir aceita qualquer verbo por padrão e pode ser suscetível a falsificação de solicitações entre sites:


public ActionResult UpdateWidget(Model model)
{
  // ... controller logic
}

References

[1] Don't use Delete Links because they create Security Holes

[2] Standards Mapping - Common Weakness Enumeration CWE ID 352

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [4] CWE ID 352

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)

[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)

[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352

[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352

[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery

desc.structural.dotnet.aspnet_mvc_bad_practices_action_not_post_only

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

C#/VB.NET/ASP.NET

Abstract

A classe de modelo tem propriedades obrigatórias e propriedades opcionais. Portanto, ela pode ser suscetível a ataques over-posting.

Explanation

Usar uma classe de modelo que possui propriedades obrigatórias (marcadas com o atributo [Required]) e propriedades opcionais (não marcadas com o atributo [Required]) pode provocar problemas quando um invasor comunica uma solicitação que contém mais dados que o esperado.

A estrutura MVC ASP.NET tentará associar parâmetros de solicitação a propriedades de modelo.

O fato de haver níveis combinados de exigência sem a comunicação explícita de quais parâmetros devem ser associados a modelos pode indicar que existem propriedades de modelo para uso interno, mas que essas propriedades podem ser controladas por um invasor.

O código a seguir define uma possível classe de modelo que tem propriedades com [Required] e propriedades sem [Required]:


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}

Se qualquer parâmetro opcional puder alterar o comportamento de um aplicativo, talvez um invasor seja capaz de realmente mudar esse comportamento comunicando um parâmetro opcional em uma solicitação.

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] BindAttribute Class

[3] RequiredAttribute Class

[4] Standards Mapping - Common Weakness Enumeration CWE ID 345

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

C#/VB.NET/ASP.NET

Abstract

A classe de modelo tem uma propriedade obrigatória não anulável e, portanto, pode ser suscetível a ataques under-posting.

Explanation

Usar uma classe de modelo que possui propriedades obrigatórias não anuláveis (marcadas com o atributo [Required]) pode provocar problemas quando um invasor comunica uma solicitação que contém menos dados do que o esperado.

A estrutura MVC ASP.NET tentará associar parâmetros de solicitação a propriedades de modelo.

Se um modelo tiver um parâmetro obrigatório não anulável e um invasor não comunicar esse parâmetro em uma solicitação -- ou seja, se o invasor usar um ataque under-posting --, a propriedade terá o valor padrão (geralmente zero), que atenderá ao atributo de validação [Required]. Isso pode provocar o comportamento inesperado do aplicativo.

O código a seguir define uma classe de modelo possível que possui uma enumeração obrigatória não anulável:


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] Standards Mapping - Common Weakness Enumeration CWE ID 345

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[11] Standards Mapping - OWASP Top 10 2010 A1 Injection

[12] Standards Mapping - OWASP Top 10 2013 A1 Injection

[13] Standards Mapping - OWASP Top 10 2017 A1 Injection

[14] Standards Mapping - OWASP Top 10 2021 A03 Injection

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

C#/VB.NET/ASP.NET

Abstract

A classe de modelo tem uma propriedade obrigatória cujo tipo é um membro opcional de um tipo de modelo pai e, portanto, pode ser suscetível a ataques under-posting.

Explanation

Se uma classe de modelo tiver a propriedade obrigatória e for do tipo de um membro opcional de uma classe de modelo pai, ela poderá ser suscetível a ataques under-posting se um invasor comunicar uma solicitação contendo menos dados que o esperado.

A estrutura MVC ASP.NET tentará associar parâmetros de solicitação a propriedades de modelo, incluindo submodelos.

Se um submodelo for opcional -- ou seja, se o modelo pai tiver uma propriedade sem o atributo [Required] -- e se um invasor não comunicar esse submodelo, então a propriedade pai terá um valor null, e os campos obrigatórios do modelo filho não serão confirmados pela validação de modelo. Essa é uma das formas de ataque under-posting.

Considere as seguintes definições de classe de modelo:


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}

Se um invasor não comunicar um valor para a propriedade ParentModel.Child, a propriedade ChildModel.RequiredProperty terá um [Required] não confirmado. Isso pode produzir resultados inesperados e indesejáveis.