531 个项目已找到
弱点

Android Bad Practices: Use of Released SQLite Resource

Abstract
代码在 Android 数据库处理器释放后对其进行了引用。
Explanation
当 Android SQLite 数据库处理器关闭后,代码仍试图使用它。在未重新建立数据库连接的情况下,对处理器的任何进一步引用都将抛出异常。如果未捕获该异常,可能会导致应用程序崩溃。

示例:以下代码可能来自将用户值暂时缓存在内存中,但可调用 flushUpdates() 将这些变化提交到磁盘中的程序。该方法会在将更新写入数据库后正确关闭数据库处理器。然而,当再次调用 flushUpdates() 时,数据库对象会在重新初始化之前被再次引用。


public class ReuseDBActivity extends Activity {
  private myDBHelper dbHelper;
  private SQLiteDatabase db;

  @Override
  public void onCreate(Bundle state) {
      ...
      db = dbHelper.getWritableDatabase();
      ...
  }
  ...

  private void flushUpdates() {
      db.insert(cached_data);     // flush cached data
      dbHelper.close();
  }
  ...
}
References
[1] Data Storage, Android Developers
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_sqlite_resource

Android Bad Practices: Weak Authentication

Abstract
程序利用专用和/或设备特定信息来生成通用的唯一标识符。
Explanation
在完全进行数据擦除和恢复出厂重置后,硬件和设备特定标识符仍会存在。因此不应依靠此类信息生成用来授权或验证用户的唯一标识符。

不仅如此,由于通用的唯一标识符与个人信息是在一起的,因而泄漏后会给用户隐私和安全带来威胁。
References
[1] Designing for Security Android
[2] OWASP Top 10 Mobile Risks OWASP
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[15] Standards Mapping - FIPS200 CM, SC
[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[18] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[19] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[23] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.1 - Web Software Access Controls, Control Objective C.2.1.2 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II, APSC-DV-001970 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.java.android_bad_practices_weak_authentication

Android Class Loading Hijacking

Abstract
从一个不可信赖的数据源或在不可信赖的环境中加载类,可能会导致应用程序以攻击者的名义执行恶意命令。
Explanation
Android 类加载劫持漏洞主要表现为以下两种形式:

- 攻击者可以更改程序在其中搜索来加载类的目录的名称,从而指向他们有控制权的某个目录的路径:攻击者明确控制了将在其中搜索类的路径。

- 攻击者可以更改用于加载类的环境:攻击者间接控制了路径名的含义。

在这种情况下,我们着重关注第一种情况,即攻击者有可能控制在其中搜索加载类的目录。这种类型的 Android Class Loading Hijacking 漏洞会在以下情况下出现:

1. 数据从不可信赖的数据源进入应用程序。



2. 数据用作一个或部分字符串,代表在其中搜索要加载的类的库目录。



3. 通过从库路径执行代码,应用程序授予攻击者在一般情况下无法获得的权限或能力。

例 1:以下代码使用用户可更改的 userClassPath,来确定在其中搜索要加载的类的目录。


...
  productCategory = this.getIntent().getExtras().getString("userClassPath");
  DexClassLoader dexClassLoader = new DexClassLoader(productCategory, optimizedDexOutputPath.getAbsolutePath(), null, getClassLoader());
  ...


此代码允许攻击者通过将 userClassPath 的结果修改为指向他们控制的不同路径,以提升的应用程序权限加载库并可能执行任意代码。因为程序不验证从环境读取的值,如果攻击者能够控制 userClassPath 的值,那么他们就可以欺骗应用程序指向他们控制的目录,从而使用与原始应用程序一样的权限加载他们已经定义的类。

例 2:以下代码使用用户可更改的 userOutput,来确定应将优化的 DEX 文件写入的目录。


...
  productCategory = this.getIntent().getExtras().getString("userOutput");
  DexClassLoader dexClassLoader = new DexClassLoader(sanitizedPath, productCategory, null, getClassLoader());
...



此代码允许攻击者指定优化的 DEX 文件 (ODEX) 的输出目录。这样,恶意用户便可以将 userOutput 的值更改为他们控制的目录,例如外部存储。一旦达到这一目的,便可以很轻松地将输出的 ODEX 文件替换为恶意 ODEX 文件,并使用与原始应用程序一样的权限加以执行。
References
[1] Android Class Loading Hijacking Symantec
desc.dataflow.java.android_class_loading_hijacking

Android Misconfiguration: Debug Information

Abstract
调试消息可帮助攻击者了解系统并计划攻击形式。
Explanation
Android 应用程序可以配置为生成调试二进制代码。这些二进制文件可提供详细的调试消息,不应在生产环境中使用。<application> 标签的 debuggable 属性定义编译后的二进制文件是否应包含调试信息。

使用调试二进制文件会导致应用程序向用户提供尽可能多的关于其自身的信息。调试二进制文件旨在用于开发或测试环境,如果部署到生产环境中可能会带来安全风险。攻击者可以利用其从调试输出中获得的附加信息,对应用程序所用的框架、数据库或其他资源发动攻击。
References
[1] JavaDoc for Android Android
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 11
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M10 Lack of Binary Protections
[21] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.android_misconfiguration_debug_information

Axis 2 Misconfiguration: Debug Information

Abstract
SOAP Monitor 模块允许攻击者探查 SOAP 流量。
Explanation
Apache Axis 2 为开发人员提供了一款实用程序,通过 Java 小程序监控传入和传出的 SOAP 消息。SOAP Monitor 将显示用于调用 Web 服务的所有 SOAP 消息。攻击者可能会使用该实用程序窃听 Web 服务与其客户端之间的通信。

References
[1] Using the SOAP Monitor Apache Software Foundation
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 215
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[12] Standards Mapping - FIPS200 CM
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-11 Error Handling (P2)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-11 Error Handling
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[25] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.axis2_misconfiguration_debug_information

Axis 2 Misconfiguration: Insecure Message Security

Abstract
Apache Axis 2 配置为使用 REST,而 REST 则无消息安全标准。
Explanation
如果服务将消息转发到其他服务,消息将暴露在转发点之间使用的最弱传输机制之下。REST 本身不含任何安全机制,因此该服务依赖传输层确保消息完整性和机密性。

以下配置启用 REST:

<axisconfig name="AxisJava2.0">
...
    <parameter name="disableREST" locked="true">false</parameter>
...
</axisconfig>
References
[1] Axis2 Apache Software Foundation
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 311
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[9] Standards Mapping - FIPS200 CM, SC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000260 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_misconfiguration_insecure_message_security

Axis 2 Misconfiguration: Insecure Transport Receiver

Abstract
该配置应确保要求使用 SSL 访问敏感信息。
Explanation
如果应用程序需要处理敏感信息并且没有使用消息级别加密,则只应允许它通过加密传输通道进行通信。

References
[1] HTTP Transport Apache Software Foundation
[2] Axis2 Configuration Guide Apache Software Foundation
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 311
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[10] Standards Mapping - FIPS200 CM, SC
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[22] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[23] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[35] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_misconfiguration_insecure_transport_receiver