界: Security Features

软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。

Password Management: Insecure Submission

Universal

Abstract

将密码作为 HTTP GET 请求的一部分进行提交时，可能会造成密码被显示、记录或存储在缓存中。

Explanation

按照惯例，通常不会将与 HTTP GET 请求有关的参数视为敏感数据，因此 web 服务器会记录这些数据，并将其存储在代理缓存中，同时，web 浏览器也不会刻意隐藏这些数据。作为 HTTP GET 请求的一部分传送密码或其他敏感数据，可能会引起数据的误用，且有可能会被攻击者获取。

示例 1：在以下示例中，新用户密码是通过 HTTP GET 请求提交的。


<form method="get">
  Name of new user: <input type="text" name="username">
  Password for new user: <input type="password" name="user_passwd">
  <input type="submit" name="action" value="Create User">
</form>

另请注意，method 属性的默认值为 GET，因此忽略该属性会引发相同后果。

References

[1] Writing Secure Web Applications Advosys Consulting

[2] W3Schools HTML form method attribute

[3] W3Schools HTML5 input formmethod attribute

[4] Standards Mapping - Common Weakness Enumeration CWE ID 359, CWE ID 522

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200, [13] CWE ID 287

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200, [14] CWE ID 287, [18] CWE ID 522

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [20] CWE ID 200, [21] CWE ID 522

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [17] CWE ID 200

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-000197, CCI-001199, CCI-002361

[12] Standards Mapping - FIPS200 IA

[13] Standards Mapping - General Data Protection Regulation (GDPR) Privacy Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), IA-5 Authenticator Management (P1), SC-28 Protection of Information at Rest (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, IA-5 Authenticator Management, SC-28 Protection of Information at Rest

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 2.10.3 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.1 Malicious Code Search (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[18] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[20] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[21] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[22] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[23] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[24] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[25] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 6.5.9, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 6.5.4, Requirement 8.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 6.5.4, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 6.5.4, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 6.5.4, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 6.5.4, Requirement 8.2.1

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.2.1, Requirement 6.2.4, Requirement 6.5.3, Requirement 6.5.6

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7 - Use of Cryptography

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7 - Use of Cryptography

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7 - Use of Cryptography

[38] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[39] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3330 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000060 CAT II, APSC-DV-001740 CAT I, APSC-DV-001750 CAT I, APSC-DV-002330 CAT II

[62] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[63] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.content.html.password_management_insecure_submission