界: Encapsulation

封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。

GraphQL Bad Practices: GraphiQL Enabled

Abstract
创建 GraphQL 端点时启用了 GraphiQL。
Explanation
GraphiQL 是一种浏览器内工具,它利用 GraphQL 架构自检机制为 GraphQL API 开发和测试提供图形界面。GraphiQL 帮助用户探索 GraphQL 架构以及编写和执行 GraphQL 查询。

不建议允许在生产环境中访问 GraphiQL,因为通过 GraphiQL 启用 GraphQL 架构的自检可能会给您的整体安全状况带来风险。攻击者可以利用 GraphiQL 和自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化默认启用了 GraphiQL 的 GraphQL.js 端点:

app.use('/graphql', graphqlHTTP({
    schema
}));
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.javascript.graphql_bad_practices_graphiql_enabled
Abstract
创建 GraphQL 端点时启用了 GraphiQL。
Explanation
GraphiQL 是一种浏览器内工具,它利用 GraphQL 架构自检机制为 GraphQL API 开发和测试提供图形界面。GraphiQL 帮助用户探索 GraphQL 架构以及编写和执行 GraphQL 查询。

不建议允许在生产环境中访问 GraphiQL,因为通过 GraphiQL 启用 GraphQL 架构的自检可能会给您的整体安全状况带来风险。攻击者可以利用 GraphiQL 和自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化启用了 GraphiQL 的 GraphQL 端点:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema,
  graphiql = True
))
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.graphql_bad_practices_graphiql_enabled