39 个项目已找到
弱点

ASP.NET Misconfiguration: Missing HMAC Signature

Abstract
应用程序设置属性,如果将属性配置为使用加密,则禁止 ASP.NET 执行签名验证。
Explanation
默认情况下,ASP.NET 在解密有效负载(例如,ViewStateFormsAuth cookiesScriptResource.axd URL)之前对加密签名进行内部验证,然后将这些值传递至应用程序进一步处理。但是,在解密有效负载之前,可以使用 aspnet:UseLegacyEncryption 设置修改此功能,禁用加密签名验证。这样,恶意客户端将可以解密、伪造或采用其他方式篡改加密数据。

示例 1:在以下示例中,aspnet:UseLegacyEncryption 设置为 true

...
  <appSettings>
    <add key="aspnet:UseLegacyEncryption" value="true" />
  </appSettings>
...
References
[1] ASP.NET appSettings Element Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.configuration.dotnet.asp_dotnet_misconfiguration_missing_hmac_signature

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

Abstract
模型类拥有需要的属性和不需要的属性,因此可能容易受重复提交攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据超出预期,使用拥有需要属性(标记为 [Required] 属性)和可选的属性(标记为 [Required] 属性)的模型类可能会导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

混合的要求而没有明确指出哪个参数为模型绑定可能表明有针对内部使用的模型属性,但是可以由攻击者控制。

以下代码定义了一种可能的模型类,其中有包含 [Required] 的属性和不包含 [Required] 的属性:


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}


如果有能更改应用程序行为的任何可选参数,那么攻击者可以通过发送一个可选参数请求来真正更改该行为。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] BindAttribute Class
[3] RequiredAttribute Class
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

Abstract
模型类有要求的不可为空属性,因此可能容易受发布中攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据少于预期,使用有要求的不可为空属性的模型类(标记为 [Required] 属性)可能导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

如果模型有要求的不可为空属性,而攻击者没有传送需要的参数要求 -- 也就是说,攻击者使用发布中攻击 -- 那么属性将拥有默认值(通常为零),该默认值将满足 [Required] 验证属性。这可能产生不可预期的应用程序行为。

以下代码定义了一种可能的模型类,其中有要求的枚举,不可为空:


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

Abstract
模型类有一个要求的属性,其类型为父模型类的一个可选成员,因此可能会受发布中攻击的影响。
Explanation
如果模型类有要求的属性,并且类型为父模型类的一个可选成员,如果攻击者传送的请求中包含的数据少于预期,可能会受发布中攻击的影响。

ASP.NET MVC 框架将尝试绑定要求参数到模型属性,包括子模型。

如果子模型可选 -- 也就是说,父模型有属性而没有 [Required] 属性 -- 如果攻击者没有传送子模型,那么父模型将有一个 null 值并且子模型要求的字段将不会由模型验证声明。这是发布中攻击的一种表单。

考虑以下模型类定义:


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}


如果攻击者没有传送针对 ParentModel.Child 属性的值,那么 ChildModel.RequiredProperty 属性将有一个未声明的 [Required]。这可能产生无法预期和不良后果。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_optional_submodel_with_required_property

Axis 2 Service Provider Misconfiguration: Missing Inbound Signature

Abstract
如果消息未签名,则无法保证消息完整性。
Explanation
任何未签名的消息部分都有可能在接收者未察觉的情况下被拦截和修改。若未经签名,接收者将无法通过加密验证消息内容是否真实。

以下服务提供程序配置指示 Axis 2 接受未签名消息:

<service>
...
	<parameter name="InflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_missing_inbound_signature

Axis 2 Service Provider Misconfiguration: Missing Outbound Signature

Abstract
缺少签名意味着无法保证 SOAP 消息的完整性。
Explanation
任何未签名的消息部分都有可能在接收者未察觉修改的情况下被拦截和修改。若未经签名,接收者将无法通过加密验证消息内容的完整性或来源。

以下服务提供程序配置指示 Axis 2 发送未签名时间戳:

<service>
...
	<parameter name="OutflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_missing_outbound_signature

Axis 2 Service Provider Misconfiguration: Unsigned Inbound Timestamp

Abstract
未签名时间戳可能导致 SOAP 消息遭到篡改,而且容易受到转发攻击。
Explanation
安全时间戳表示消息新鲜度。如果攻击者拦截了一条消息并在稍后重新传输该消息,则接收方可以拒绝重放攻击,因为时间戳将指示该消息是过时的。时间戳可以选择性包含到期属性,该属性会对安全语义有效期设置硬性限制。

为了防止攻击者篡改时间戳,应对时间戳进行签名。如未设置签名时间戳,攻击者可能拦截 SOAP 消息、修改时间戳并在接收者毫不知情的情况下发送消息。在这些情况下,攻击者可能会诱骗收件人接受恶意邮件。

以下服务提供程序配置指示 Axis 2 接受消息时未签名时间戳:

<service>
...
	<parameter name="InflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_unsigned_inbound_timestamp

Axis 2 Service Provider Misconfiguration: Unsigned Outbound Timestamp

Abstract
未签名时间戳可能导致 SOAP 消息遭到篡改,而且容易受到转发攻击。
Explanation
安全时间戳表示消息安全语义的“新鲜度”。因此,如果消息遭到拦截但稍后重新传输,则接收者可以拒绝接收旧消息。时间戳可以选择性包含到期属性,该属性会对安全语义有效期设置硬性限制。

为了防止攻击者篡改时间戳,应对时间戳进行签名。如未设置签名时间戳,则可能拦截 SOAP 消息并在接收者毫不知情的情况下修改时间戳。在这些情况下,攻击者可能会诱骗收件人接受恶意邮件。

以下服务提供程序配置指示 Axis 2 发送未签名时间戳:

<service>
        ...
	<parameter name="OutflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_unsigned_outbound_timestamp

Axis 2 Service Requester Misconfiguration: Missing Inbound Signature

Abstract
缺少签名意味着无法保证 SOAP 消息完整性。
Explanation
未签名的消息的任何部分都有可能在发送方或接收方不知情的情况下被拦截和修改。如果没有签名,接收方就无法通过密码验证消息的内容是否真的来自发送方。

以下客户端配置指示 Axis 2 接受未签名消息:

<axisconfig name="AxisJava2.0">
...
	<parameter name="InflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_missing_inbound_signature

Axis 2 Service Requester Misconfiguration: Missing Outbound Signature

Abstract
缺少签名意味着无法保证 SOAP 消息的完整性。
Explanation
任何未签名的消息部分都有可能在接收者未察觉修改的情况下被拦截和修改。若未经签名,接收者将无法通过加密验证消息内容的来源。

以下客户端配置指示 Axis 2 发送未签名请求:

<axisconfig name="AxisJava2.0">
...
	<parameter name="OutflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_missing_outbound_signature

Axis 2 Service Requester Misconfiguration: Unsigned Inbound Timestamp

Abstract
未签名时间戳可能导致 SOAP 消息遭到篡改,而且容易受到转发攻击。
Explanation
安全时间戳表示消息新鲜度。如果攻击者拦截了一条消息并在稍后重新传输该消息,则接收方可以拒绝重放攻击,因为时间戳将指示该消息是过时的。时间戳可以选择性包含到期属性,该属性会对安全语义有效期设置硬性限制。

为了防止攻击者篡改时间戳,应对时间戳进行签名。如未设置签名时间戳,攻击者可能拦截 SOAP 消息、修改时间戳并在接收者毫不知情的情况下发送消息。在这些情况下,攻击者可能会诱骗收件人接受恶意邮件。

以下客户端配置指示 Axis 2 接受未签名时间戳:

<axisconfig name="AxisJava2.0">
...
	<parameter name="InflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_unsigned_inbound_timestamp

Axis 2 Service Requester Misconfiguration: Unsigned Outbound Timestamp

Abstract
未签名时间戳可能导致 SOAP 消息遭到篡改,而且容易受到转发攻击。
Explanation
安全时间戳表示消息新鲜度。如果攻击者拦截了一条消息并在稍后重新传输该消息,则接收方可以拒绝重放攻击,因为时间戳将指示该消息是过时的。时间戳可以选择性包含到期属性,该属性会对安全语义有效期设置硬性限制。

为了防止攻击者篡改时间戳,应对时间戳进行签名。如未设置签名时间戳,攻击者可能拦截 SOAP 消息、修改时间戳并在接收者毫不知情的情况下发送消息。在这些情况下,攻击者可能会诱骗收件人接受恶意邮件。

以下客户端配置指示 Axis 2 发送未签名时间戳:

<axisconfig name="AxisJava2.0">
...
	<parameter name="OutflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_unsigned_outbound_timestamp

GCP Terraform Misconfiguration: Cloud DNS DNSSEC Disabled

Abstract
Terraform 配置未启用云 DNS 域的域名系统安全 (DNSSEC)。
Explanation
DNSSEC 能够使用数字签名执行 DNS 响应验证,从而防止 DNS 欺骗。云 DNS 域的 DNSSEC 未启用。

示例 1:以下示例显示的 Terraform 配置通过在 dnssec_config 块中将 state 设置为 off,禁用了云 DNS 域的 DNSSEC。

resource "google_dns_managed_zone" "zone-demo" {
...
  dnssec_config {
    state = "off"
    ...
  }
...
}
References
[1] HashiCorp dns_managed_zone
[2] Google Cloud Manage DNSSEC configuration
[3] Standards Mapping - CIS Google Cloud Computing Platform Benchmark Recommendation 3.3
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-002418, CCI-002422
[6] Standards Mapping - FIPS200 SC
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-8 Transmission Confidentiality and Integrity (P1), SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-8 Transmission Confidentiality and Integrity, SC-20 Secure Name/Address Resolution Service (Authoritative Source) (P1)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.1 - Authentication and Access Control
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.1 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[18] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002440 CAT I, APSC-DV-002470 CAT II
desc.structural.hcl.gcp_terraform_misconfiguration_cloud_dns_dnssec_disabled

Mass Assignment: Insecure Binder Configuration

Abstract
用于将 HTTP 请求参数绑定到模型类的框架绑定器未显式配置为允许或禁止特定属性。
Explanation
为便于开发和提高生产率,现代框架允许自动实例化一个对象,并使用名称与要绑定的类的属性相匹配的 HTTP 请求参数填充该对象。对象的自动实例化和填充加快了开发速度,但如果不谨慎实施,会导致严重的问题。绑定类或嵌套类中的任何属性都将自动绑定到 HTTP 请求参数。因此,恶意用户能够将值分配给绑定类或嵌套类中的任意属性,即使这些属性未通过 Web 表单或 API 合约暴露给客户端也是如此。

示例 1:无需进行额外配置,以下 ASP.NET MVC 控制器方法便会将 HTTP 请求参数绑定到 RegisterModelDetails 类中的任何属性:


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}


其中,RegisterModel 类定义为:


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}
Details 类定义为:


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}
示例 2:在 ASP.NET MVC、Web API 应用程序中使用 TryUpdateModel()UpdateModel() 时,默认情况下,模型绑定器将自动尝试绑定所有 HTTP 请求参数:


public ViewResult Register()
{
    var model = new RegisterModel();
    TryUpdateModel<RegisterModel>(model);
    return View("detail", model);
}
示例 3:在 ASP.NET Web Form 应用程序中,将 TryUpdateModel()UpdateModel() 与 IValueProvider 接口结合使用时,模型绑定器将自动尝试绑定所有 HTTP 请求参数。

Employee emp = new Employee();
TryUpdateModel(emp, new System.Web.ModelBinding.FormValueProvider(ModelBindingExecutionContext)); 
if (ModelState.IsValid)
{
    db.SaveChanges();
}
Employee 类定义为:


 public class Employee
    {
        public Employee()
        {
            IsAdmin = false;
            IsManager = false;
        }
        public string Name { get; set; }
        public string Email { get; set; }
        public bool IsManager { get; set; }
        public bool IsAdmin { get; set; }
    }
References
[1] OWASP Mass assignment
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.dotnet.mass_assignment_insecure_binder_configuration
Abstract
用于将 HTTP 请求参数绑定到模型类的框架绑定器尚未明确配置为允许或禁止某些属性
Explanation
为简化开发过程并提高工作效率,大多数现代框架允许自动实例化对象并填充名称与要绑定的类属性匹配的 HTTP 请求参数。自动实例化和填充对象可加快开发速度,但若实施不慎,可能会引发严重问题。绑定类或嵌套类中的所有属性都将自动绑定到 HTTP 请求参数。因此,恶意用户将可以为绑定类或嵌套类中的任何属性赋值,即使未通过 Web 表单或 API 约定向客户端公开也是一样。

示例 1:使用 Spring WebFlow 但未进行额外配置,以下操作可将 HTTP 请求参数绑定到 Booking 类的任何属性:


    <view-state id="enterBookingDetails" model="booking">
		<on-render>
			<render fragments="body" />
		</on-render>
        <transition on="proceed" to="reviewBooking">
        </transition>
		<transition on="cancel" to="cancel" bind="false" />
	</view-state>


其中,Booking 类定义如下:


public class Booking implements Serializable {
	private Long id;
	private User user;
	private Hotel hotel;
	private Date checkinDate;
	private Date checkoutDate;
	private String creditCard;
	private String creditCardName;
	private int creditCardExpiryMonth;
	private int creditCardExpiryYear;
	private boolean smoking;
	private int beds;
	private Set<Amenity> amenities;

   // Public Getters and Setters
   ...
}
References
[1] OWASP Mass assignment
[2] Pivotal Spring MVC Known Vulnerabilities and Issues
[3] Standards Mapping - Common Weakness Enumeration CWE ID 915
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.config.java.mass_assignment_insecure_binder_configuration

Mass Assignment: Request Parameters Bound into Persisted Objects

Abstract
如果允许使用请求参数自动填充数据库持久实体,攻击者将能够在关联实体中创建计划外的记录,或者更新实体对象中的计划外字段。
Explanation
模型对象是数据库实体面向对象的表示。它们为加载、存储、更新和删除相关数据库实体提供了简便的方法。
例如,Hibernate、Microsoft .NET 实体框架和 LINQ 都是对象关系映射 (ORM) 框架,可以帮助您构建基于数据库的模型对象。

为了减轻开发人员的压力,许多 Web 框架都在努力提供相应的机制,即根据将请求参数名称与模型对象属性名称相匹配的方法将请求参数绑定到请求绑定对象(根据匹配的公共 getter 和 setter 方法)。

如果应用程序将 ORM 类作为请求绑定对象,请求参数就能够修改模型对象中的任何字段以及对象属性中的任何嵌入字段。

示例 1:OrderCustomerProfile 都是 Microsoft .NET 实体持久类。

public class Order {
	public string ordered { get; set; }
	public List<LineItem> LineItems { get; set; }
	pubilc virtual Customer Customer { get; set; }
...
}
public class Customer {
	public int CustomerId { get; set; }
	...
	public virtual Profile Profile { get; set; }
...
}
public class Profile {
	public int profileId { get; set; }
	public string username { get; set; }
	public string password { get; set; }
	...
}
OrderController 是处理该请求的 ASP.NET MVC 控制器类:


public class OrderController : Controller{
	StoreEntities db = new StoreEntities();
...

	public String updateOrder(Order order) {
		...
		db.Orders.Add(order);
		db.SaveChanges();
	}
}

由于模型实体类会自动绑定到该请求,因此攻击者可以利用这一漏洞,通过在该请求中添加下列请求参数来更新其他用户的密码:"http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 915
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[11] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[12] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.dotnet.mass_assignment_request_parameters_bound_into_persisted_objects
Abstract
如果允许使用请求参数自动填充数据库持久实体,攻击者将能够在关联实体中创建计划外的记录,或者更新实体对象中的计划外字段。
Explanation
持久对象通常绑定到底层数据库,并由持久性框架(如 Hibernate 或 JPA)自动更新。如果允许这些对象动态地绑定到 Spring MVC 发出的请求,则攻击者将能够通过提供附加的请求参数向数据库中注入非预期的值。
例 1:OrderCustomerProfile 都是 Hibernate 持久类。

public class Order {
	String ordered;
	List lineItems;
	Customer cust;
...
}
public class Customer {
	String customerId;
	...
    Profile p;
...
}
public class Profile {
	String profileId;
	String username;
	String password;
	...
}
OrderController 是处理该请求的 Spring 控制器类:

@Controller
public class OrderController {
...
	@RequestMapping("/updateOrder")
	public String updateOrder(Order order) {
		...
		session.save(order);
	}
}

因为命令类会自动绑定到该请求,所以利用这一漏洞,攻击者可以通过在该请求中添加如下请求参数来更新其他用户的密码:"http://www.yourcorp.com/webApp/updateOrder?order.customer.profile.profileId=1234&order.customer.profile.password=urpowned"
References
[1] Ryan Berg and Dinis Cruz Two Security Vulnerabilities in the Spring Framework's MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.java.mass_assignment_request_parameters_bound_into_persisted_objects

Mass Assignment: Request Parameters Bound via Input Formatter

Abstract
当使用 [FromBody] 注释时,用于将 HTTP 请求参数绑定到模型类的框架绑定器依赖于输入格式程序。
Explanation
为简化开发过程并提高工作效率,大多数现代框架允许自动实例化对象并填充名称与要绑定的类属性匹配的 HTTP 请求参数。自动实例化和填充对象可加快开发速度,但若实施不慎,可能会引发严重问题。绑定类或嵌套类中的所有属性都将自动绑定到 HTTP 请求参数。因此,恶意用户将可以为绑定类或嵌套类中的任何属性赋值,即使未通过 Web 表单或 API 约定向客户端公开也是一样。

在这种情况下,当 [FromBody] 注释应用于操作的复杂参数,然后任何其他应用于参数类型或其任何字段的绑定属性(例如 [Bind][BindNever])都会被有效忽略,这意味着使用绑定注释进行规避是不可能的。

示例 1:在 ASP.NET Core MVC Web 应用程序中,当 [FromBody] 注释应用于操作的参数时,模型绑定器会自动尝试使用输入格式程序绑定请求正文中指定的所有参数。默认情况下,绑定器使用 JSON 输入格式程序来尝试绑定来自请求正文的所有可能的参数:


[HttpPost]
public ActionResult Create([FromBody] Product p)
{
    return View(p.Name);
}


请注意,当存在 [FromBody] 注释时,任何应用于后接的 Product 类型的绑定注释(例如 [Bind][BindNever])都会因为所使用的输入格式程序而被忽略。


public class Product
{
    ...
    public string Name { get; set; }
    public bool IsAdmin { get; set; }
    ...
}
References
[1] Microsoft [FromBody] attribute
[2] OWASP Mass assignment
[3] Standards Mapping - Common Weakness Enumeration CWE ID 915
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Abuse of Functionality (WASC-42)
desc.structural.dotnet.mass_assignment_request_parameters_bound_via_input_formatters

Mass Assignment: Sensitive Field Exposure

Abstract
一个敏感字段已向模型绑定器公开。
Explanation
现代框架可让开发人员将来自请求查询和正文的 HTTP 请求参数自动绑定至模型对象,以便于开发和提高生产率。如果绑定器未正确配置为控制将哪些 HTTP 请求参数绑定到哪些模型属性,攻击者可能会滥用模型绑定过程并设置不应向用户控件公开的任何其他属性。即使模型属性未出现在 Web 表单或 API 合约中,也可能会发生这种绑定。

例 1:以下 ASP.NET MVC 控制器方法 (Register) 从 Web 表单进行访问,该表单要求用户通过提供其姓名和密码注册帐户。


public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
        try
        {
            return RedirectToAction("Index", "Home");
        }
        catch (MembershipCreateUserException e)
        {
            ModelState.AddModelError("", "");
        }
    }
    return View(model);
}


其中,RegisterModel 类定义为:


public class RegisterModel
{
    [BindRequired]
    [Display(Name = "User name")]
    public string UserName { get; set; }

    [BindRequired]
    [DataType(DataType.Password)]
    [Display(Name = "Password")]
    public string Password { get; set; }

    [DataType(DataType.Password)]
    [Display(Name = "Confirm password")]
    public string ConfirmPassword { get; set; }

    public Details Details { get; set; }

    public RegisterModel()
    {
        Details = new Details();
    }
}
Details 类定义为:


public class Details
{
    public bool IsAdmin { get; set; }
    ...
}


设想Example 1 中的场景,攻击者可能会浏览应用程序并发现 RegisterModel 模型中存在 Details 属性。如果出现这种情况,攻击者可能会尝试覆盖分配给这些属性的当前值。
如果攻击者可以找到这些内部属性,并且框架绑定器未正确配置为禁止绑定这些属性,则攻击者可能会通过发送以下请求注册管理员帐户:


name=John&password=****&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Standards Mapping - Common Weakness Enumeration CWE ID 915
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[12] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[13] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.structural.dotnet.mass_assignment_sensitive_field_exposure
Abstract
敏感字段向模型绑定器公开。
Explanation
现代框架允许开发人员自动将请求查询和正文中的 HTTP 请求参数绑定到模型对象,便于推进开发工作及提高工作效率。如果绑定器未正确配置为控制将哪些 HTTP 请求参数绑定到哪些模型属性,攻击者可能滥用模型绑定进程,设置不应暴露给用户控制的任何其他属性。即使 Web 表单或 API 约定中未显示模型属性,也可以建立此类绑定。

示例 1:以下 Struts 1 DynaActionForm 动态定义绑定到用户请求的 ActionForm。在这种情况下,在实际应用中,通过提供帐户类型和用户详细信息来注册帐户:


<struts-config>
  <form-beans>
       <form-bean name="dynaUserForm"
          type="org.apache.struts.action.DynaActionForm" >
              <form-property name="type" type="java.lang.String" />
              <form-property name="user" type="com.acme.common.User" />
       </form-bean>
       ...



如果注册成功,用户数据将被永久保存到数据库中。User 类定义为:


public class User {
  private String name;
  private String lastname;
  private int age;
  private Details details;

  // Public Getters and Setters
  ...
}
Details 类定义为:


public class Details {
  private boolean is_admin;
  private int id;
  private Date login_date;

  // Public Getters and Setters
  ...
}


设想Example 1 中的场景,攻击者可能会浏览应用程序并发现 User 模型中存在 details 属性。如果出现这种情况,攻击者可能会尝试覆盖分配给这些属性的当前值。
如果攻击者可以查找这些内部属性,但是为禁止绑定这些属性,框架绑定器配置不正确,那么攻击者将能够通过发送以下请求来注册管理员帐户:


type=free&user.name=John&user.lastname=Smith&age=22&details.is_admin=true
References
[1] OWASP Mass assignment
[2] Spring Spring MVC Known Vulnerabilities and Issues
[3] Standards Mapping - Common Weakness Enumeration CWE ID 915
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001082, CCI-002754
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-2 Application Partitioning (P1), SI-10 Information Input Validation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-2 Separation of System and User Functionality, SI-10 Information Input Validation
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.2 Input Validation Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
desc.config.java.mass_assignment_sensitive_field_exposure

Weak WS-SecurityPolicy: Missing Initiator Signature Token

Abstract
缺少签名意味着无法保证 SOAP 消息的完整性。
Explanation
未签名的消息的任何部分都有可能在发送方或接收方不知情的情况下被拦截和修改。如果没有签名,接收方就无法通过密码验证消息的内容是否真的来自发送方。

示例 1:以下 WS-SecurityPolicy 策略条目使用非对称绑定,但没有指定发起方签名令牌:

<sp:AsymmetricBinding>
  <wsp:Policy>
    <sp:InitiatorEncryptionToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:InitiatorEncryptionToken>
    <sp:RecipientEncryptionToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:RecipientEncryptionToken>
    <sp:RecipientSignatureToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:RecipientSignatureToken>
      ...
  </wsp:Policy>
</sp:AsymmetricBinding>
References
[1] WS-SecurityPolicy 1.2 OASIS
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.webservices.weak_ws-securitypolicy_missing_initiator_signature_token

Weak WS-SecurityPolicy: Missing Recipient Signature Token

Abstract
缺少签名意味着无法保证 SOAP 消息的完整性。
Explanation
未签名的消息的任何部分都有可能在发送方或接收方不知情的情况下被拦截和修改。如果没有签名,接收方就无法通过密码验证消息的内容是否真的来自发送方。

示例 1:以下 WS-SecurityPolicy 策略条目使用非对称绑定,但没有指定接收方签名令牌:

<sp:AsymmetricBinding>
  <wsp:Policy>
    <sp:InitiatorEncryptionToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:InitiatorEncryptionToken>
    <sp:InitiatorSignatureToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:InitiatorSignatureToken>
    <sp:RecipientEncryptionToken>
      <wsp:Policy>
      ...
      </wsp:Policy>
    </sp:RecipientEncryptionToken>
      ...
  </wsp:Policy>
</sp:AsymmetricBinding>
References
[1] WS-SecurityPolicy 1.2 OASIS
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.webservices.weak_ws-securitypolicy_missing_recipient_signature_token

Weak WS-SecurityPolicy: Missing Signature Token

Abstract
缺少签名意味着无法保证 SOAP 消息的完整性。
Explanation
未签名的消息的任何部分都有可能在发送方或接收方不知情的情况下被拦截和修改。如果没有签名,接收方就无法通过密码验证消息的内容是否真的来自发送方。

示例 1:以下 WS-SecurityPolicy 策略条目使用对称绑定,但没有指定签名令牌:

<sp:SymmetricBinding>
    <wsp:Policy>
        <sp:EncryptionToken>
            <wsp:Policy>
                ...
            </wsp:Policy>
        </sp:EncryptionToken>
        ...
    </wsp:Policy>
</sp:SymmetricBinding>
References
[1] WS-SecurityPolicy 1.2 OASIS
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[12] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.webservices.weak_ws-securitypolicy_missing_signature_token