界: Encapsulation

封装即绘制强边界。在 Web 浏览器中，这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上，这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据，或者区分允许用户查看的数据和不允许用户查看的数据。

Hardcoded Domain in HTML

Universal

Abstract

如果网页包含其他网域的脚本，则意味着此网页的安全取决于其他域的安全。

Explanation

包含来自其他网站的可执行内容是非常危险的。这就会将您站点的安全与其他站点的安全绑在一起。

示例 1：考虑以下 script 标签。


  <script src="http://www.example.com/js/fancyWidget.js"></script>

如果此标签出现在 www.example.com 以外的网站中，则该站点将依赖 www.example.com 来运行正确的非恶意代码。如果攻击者可以入侵 www.example.com，则他们可以篡改 fancyWidget.js 的内容，损害站点安全。例如，他们可以将代码添加到 fancyWidget.js 中，窃取用户的机密数据。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 494, CWE ID 829

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code

[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)

[7] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[8] Standards Mapping - OWASP Mobile 2024 M7 Insufficient Binary Protections

[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-2

[10] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094

[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II

[26] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)

[27] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Process Validation

desc.content.html.hardcoded_domain