界: API Abuse

API 是调用方和被调用方之间的约定。最常见的 API 滥用是由于调用方未能遵守此约定的终止导致的。例如,如果某个程序在调用 chroot() 后未能调用 chdir(),则违反了用于指定如何安全地更改活动根目录的约定。库滥用的另一个典型示例是期望被调用方向调用方返回可信的 DNS 信息。在这种情况下,调用方通过对被调用方行为做出某种假设(返回值可用于身份验证目的)滥用其 API。另一方也可能违反调用方-被调用方约定。例如,如果编码器子类化 SecureRandom 并返回一个非随机值,则将违反此约定。

82 个项目已找到
弱点

ADF Faces Bad Practices: unsecure Attribute

Abstract
unsecure 属性会指定可在客户端上设置值的属性列表。
Explanation
Oracle ADF Faces 组件的属性值通常只能在服务器上设置。但许多组件都允许开发人员定义可在客户端上设置的属性列表。这些组件的 unsecure 属性可以指定此列表。

目前唯一一个可在 unsecure 属性中显示的属性是 disabled,该属性允许客户端定义要启用和禁用的组件。最好不要让客户端控制只应在服务器上设置的属性值。

示例:以下代码显示了从用户收集密码信息并使用 unsecure 属性的 inputText 组件。


...
    <af:inputText id="pwdBox"
                  label="#{resources.PWD}"
                  value=""#{userBean.password}
                  unsecure="disabled"
                  secret="true"
                  required="true"/>
...
References
[1] Oracle ADF Faces Tag Reference
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 5
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
desc.structural.java.adf_faces_bad_practices_unsecure_attribute

Android Bad Practices: Use of File Scheme Cookies

Abstract
应用程序允许将 Cookie 用于 file:// 协议,这可能导致不利的安全隐患。
Explanation
根据 RFC 2109,Cookie 严格意义上属于 HTTP 机制。 不应用于除 HTTP 以外的其他协议,包括 file://。 目前还不清楚它们的行为应该是什么,以及适用何种安全分隔规则。 例如,从 Internet 下载到本地磁盘的 HTML 文件是否应与本地安装的任意 HTML 代码共享相同的 Cookie?
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.semantic.java.android_bad_practices_use_of_file_scheme_cookies

ASP.NET Middleware Out of Order: Default Cookie Configuration

Abstract
应用程序错误地指定了 ASP.NET Cookie 策略中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseCookiePolicy() 方法将 Cookie 策略中间件添加到中间件管道中,从而允许自定义 Cookie 策略。当按所示的错误顺序指定时,程序员声明的任何 Cookie 策略都将被忽略。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422
[8] Standards Mapping - FIPS200 MP, SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[20] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

Abstract
应用程序错误地指定了默认的 ASP.NET HTTPS 重定向中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseHttpsRedirection() 方法将 HTTPS 重定向中间件添加到中间件管道中,这样可以将不安全的 HTTP 请求重定向到安全的 HTTPS 请求。如果以所示的错误顺序指定,则在通过重定向之前列出的中间件处理请求之前不会发生有意义的 HTTPS 重定向。这样可以使应用程序处理 HTTP 请求后重定向到安全的 HTTPS 连接。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[11] Standards Mapping - FIPS200 SC
[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[22] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[35] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

Abstract
应用程序错误地指定了 ASP.NET Core 日志记录中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseHttpLogging() 方法将 HTTP 日志记录中间件添加到允许记录中间件组件的中间件管道中。当按所示的错误顺序指定时,在调用 UseHttpLogging() 之前,将不会记录添加到管道中的任何中间件。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...
示例 2:UseWC3Logging() 方法将 W3C 日志记录中间件添加到允许记录中间件组件的中间件管道中。当按所示的错误顺序指定时,在调用 UseWC3Logging() 之前,将不会记录添加到管道中的任何中间件。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[15] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

Abstract
控制器操作可能会受益于限制仅接受下列 HTTP 谓词之一:Post、Put、Patch 或 Delete。
Explanation
通过写入、更新或删除修改数据的 ASP.NET MVC 控制器操作可能会受益于限制仅接受下列 HTTP 谓词之一:Post、Put、Patch 或 Delete。这会增加 Cross-Site Request Forgery 的难度,因为意外点击链接不会导致执行操作。

以下控制器操作默认接受任何命令,可能容易受跨站点伪装请求的影响:


public ActionResult UpdateWidget(Model model)
{
  // ... controller logic
}
References
[1] Don't use Delete Links because they create Security Holes
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 352
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[13] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[17] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[23] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[35] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[36] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.dotnet.aspnet_mvc_bad_practices_action_not_post_only

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

Abstract
模型类拥有需要的属性和不需要的属性,因此可能容易受重复提交攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据超出预期,使用拥有需要属性(标记为 [Required] 属性)和可选的属性(标记为 [Required] 属性)的模型类可能会导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

混合的要求而没有明确指出哪个参数为模型绑定可能表明有针对内部使用的模型属性,但是可以由攻击者控制。

以下代码定义了一种可能的模型类,其中有包含 [Required] 的属性和不包含 [Required] 的属性:


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}


如果有能更改应用程序行为的任何可选参数,那么攻击者可以通过发送一个可选参数请求来真正更改该行为。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] BindAttribute Class
[3] RequiredAttribute Class
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[5] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[9] Standards Mapping - CIS Kubernetes Benchmark partial
[10] Standards Mapping - Common Weakness Enumeration CWE ID 345
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[16] Standards Mapping - OWASP Top 10 2010 A1 Injection
[17] Standards Mapping - OWASP Top 10 2013 A1 Injection
[18] Standards Mapping - OWASP Top 10 2017 A1 Injection
[19] Standards Mapping - OWASP Top 10 2021 A03 Injection
[20] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

Abstract
模型类有要求的不可为空属性,因此可能容易受发布中攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据少于预期,使用有要求的不可为空属性的模型类(标记为 [Required] 属性)可能导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

如果模型有要求的不可为空属性,而攻击者没有传送需要的参数要求 -- 也就是说,攻击者使用发布中攻击 -- 那么属性将拥有默认值(通常为零),该默认值将满足 [Required] 验证属性。这可能产生不可预期的应用程序行为。

以下代码定义了一种可能的模型类,其中有要求的枚举,不可为空:


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 345
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - OWASP Top 10 2021 A03 Injection
[18] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

Abstract
模型类有一个要求的属性,其类型为父模型类的一个可选成员,因此可能会受发布中攻击的影响。
Explanation
如果模型类有要求的属性,并且类型为父模型类的一个可选成员,如果攻击者传送的请求中包含的数据少于预期,可能会受发布中攻击的影响。

ASP.NET MVC 框架将尝试绑定要求参数到模型属性,包括子模型。

如果子模型可选 -- 也就是说,父模型有属性而没有 [Required] 属性 -- 如果攻击者没有传送子模型,那么父模型将有一个 null 值并且子模型要求的字段将不会由模型验证声明。这是发布中攻击的一种表单。

考虑以下模型类定义:


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}


如果攻击者没有传送针对 ParentModel.Child 属性的值,那么 ChildModel.RequiredProperty 属性将有一个未声明的 [Required]。这可能产生无法预期和不良后果。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 345
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[14] Standards Mapping - OWASP Top 10 2010 A1 Injection
[15] Standards Mapping - OWASP Top 10 2013 A1 Injection
[16] Standards Mapping - OWASP Top 10 2017 A1 Injection
[17] Standards Mapping - OWASP Top 10 2021 A03 Injection
[18] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[36] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_optional_submodel_with_required_property

Biometric Authentication: Missing Operation Message

Abstract
该应用程序在没有给出正当理由的情况下要求用户输入其指纹。
Explanation
根据 Apple 的政策,应用程序始终应向用户说明需要输入指纹的理由。如果未能做到这一点,可能会使用户感到困惑,甚至导致您的应用程序被 AppStore 拒绝。

示例 1:以下代码使用 Touch ID 验证用户,但未能提供正当理由来说明为何需要进行该验证:


    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:nil
        reply:^(BOOL success, NSError *error) {
            if (success) {
                NSLog(@"Auth was OK");
            } 
    }];
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.objc.biometric_authentication_missing_operation_message
Abstract
该应用程序在没有给出正当理由的情况下要求用户输入其指纹。
Explanation
根据 Apple 的政策,应用程序始终应向用户说明需要输入指纹的理由。如果未能做到这一点,可能会使用户感到困惑,甚至导致您的应用程序被 AppStore 拒绝。

示例 1:以下代码使用 Touch ID 验证用户,但未能提供正当理由来说明为何需要进行该验证:


    context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "", reply: { (success, error) -> Void in
        if (success) {
            print("Auth was OK");
        }
        else {
            print("Error received: %d", error!);
        }
    })
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[10] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.swift.biometric_authentication_missing_operation_message

Castor Bad Practices: Query Mode Not Read-Only

Abstract
非只读模式的 Castor 查询可能会影响性能。
Explanation
即便 castor 创建了对象的锁定,也不能阻止其他线程对该对象执行读取或写入。另外,与默认的共享模式相比,只读模式的查询的运行速度大约是前者的 7 倍。

例 1:下例指定 SHARED 查询模式,该模式允许读取和写入访问。

results = query.execute(Database.SHARED);
References
[1] ExoLab Group Castor JDO - Best practice
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[7] Standards Mapping - Common Weakness Enumeration CWE ID 265
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.structural.java.castor_bad_practices_query_mode_not_read_only

Castor Bad Practices: Unspecified Query Mode

Abstract
该 Castor 查询未明确定义查询模式。
Explanation
默认情况下,Castor 以共享模式执行查询。由于共享模式允许读取访问和写入访问,因此该查询需要采取何种操作并不清楚。如果要在只读上下文中使用该对象,则共享访问会增加不必要的性能负担。

例 1:以下示例未指定查询模式。

results = query.execute();    //missing query mode
References
[1] ExoLab Group Castor JDO - Best practice
[2] ExoLab Group, Intalio Inc., and Contributors Database (Castor JavaDoc)
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - Common Weakness Enumeration CWE ID 265
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.semantic.java.castor_bad_practices_unspecified_query_mode

Code Correctness: Call to GC.Collect()

Abstract
显式的调用垃圾回收机制可以预示系统性能可能出现的问题。
Explanation
几乎所有的 .NET 开发人员都会遇到过这样的情况,有时候某个问题看上去十分蹊跷、捉摸不透,似乎只能把原因归结到垃圾回收机制上。特别是当问题与 time and state 相关时,我们可以根据经验进行推断,并找到支持这一理论的根据:插入对 GC.Collect() 的调用似乎可以使问题迎刃而解。

在我们遇到的绝大多数情况中,调用 GC.Collect() 并非什么好方法。事实上,过于频繁地调用 GC.Collect() 会带来性能问题。
References
[1] Scott Holden The perils of GC.Collect()
[2] Rico Mariani Performance Tidbits
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 730
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[35] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_call_to_gc_collect

Code Correctness: Call to System.gc()

Abstract
显式的调用垃圾回收机制可以预示系统性能可能出现的问题。
Explanation
几乎所有的 Java 开发人员都会在工作中碰到这样的情况,有时候某个问题看上去非常神秘,让人难以理解,而且根本调试不出来,好像一点办法都没有,只能将原因归结为垃圾回收机制的问题。特别是当问题与 time and state 相关时,我们可以根据经验进行推断,并找到支持这一理论的根据:插入对 System.gc() 的调用似乎可以使问题迎刃而解。

在我们遇到的绝大多数情况中,调用 System.gc() 并非什么好方法。事实上,过于频繁地调用 System.gc() 会带来性能问题。
References
[1] D. H. Hovermeyer FindBugs User Manual
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 730
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[12] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[33] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[34] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.java.code_correctness_call_to_system_gc

Code Correctness: Class Does Not Implement Equivalence Method

Abstract
在没有实现 Equals() 的对象上调用了 Equals()
Explanation
当比较对象时,开发人员通常希望比较对象的属性。然而,在没有明确实现 Equals() 的类(或任何超类/接口)上调用 Equals() 会导致调用继承自 System.ObjectEquals() 方法。Object.Equals() 将比较两个对象实例,查看它们是否相同,而不是比较对象成员字段或其他属性。尽管可以合法地使用 Object.Equals(),但这通常表示存在错误代码。

示例 1:

public class AccountGroup
{
    private int gid;

    public int Gid
    {
        get { return gid; }
        set { gid = value; }
    }
}
...
public class CompareGroup
{
    public bool compareGroups(AccountGroup group1, AccountGroup group2)
    {
        return group1.Equals(group2);   //Equals() is not implemented in AccountGroup
    }
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_class_does_not_implement_equals
Abstract
在没有实现 equals() 的对象上调用了 equals() 方法。
Explanation
当比较对象时,开发人员通常希望比较对象的属性。然而,在没有明确实现 equals() 的类(或任何超类/接口)上调用 equals() 会导致调用继承自 java.lang.Objectequals() 方法。Object.equals() 将比较两个对象实例,查看它们是否相同,而不是比较对象成员字段或其他属性。尽管可以合法地使用 Object.equals(),但这通常表示存在错误代码。

例 1:

public class AccountGroup
{
	private int gid;

	public int getGid()
	{
		return gid;
	}

	public void setGid(int newGid)
	{
		gid = newGid;
	}
}
...
public class CompareGroup
{
	public boolean compareGroups(AccountGroup group1, AccountGroup group2)
	{
		return group1.equals(group2);   //equals() is not implemented in AccountGroup
	}
}
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_class_does_not_implement_equals

Code Correctness: Erroneous finalize() Method

Abstract
finalize() 方法应该调用 super.finalize()
Explanation
The Java Language Specification 中指出,finalize() 方法调用 super.finalize() 是一种非常好的做法 [1]。

例 1:以下方法没有调用 super.finalize()


protected void finalize() {
  discardNative();
}
References
[1] J. Gosling, B. Joy, G. Steele, G. Bracha The Java Language Specification, Second Edition Addison-Wesley
[2] MET12-J. Do not use finalizers CERT
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - Common Weakness Enumeration CWE ID 568
desc.structural.java.code_correctness_erroneous_finalize_method

Code Correctness: Incorrect Serializable Method Signature

Abstract
在序列化方法上使用错误的方法签名可能导致永远不会调用该方法。
Explanation
代码正确性:当可序列化的类创建序列化或反序列化函数但未采用正确的签名时,会发生“可序列化的方法签名不正确”的问题: 


  private void writeObject(java.io.ObjectOutputStream out) throws IOException;
  private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException;
  private void readObjectNoData() throws ObjectStreamException;


未使用序列化所要求的方法签名会导致在序列化/反序列化过程中永远不会调用该方法,这意味着将无法完成序列化/反序列化,或意味着不可信赖的代码可以获取对象的访问权限。
如果存在未抛出的异常,则可能意味着序列化/反序列化将失败并使应用程序崩溃,甚或可能悄然失败,以致构造的对象只是部分正确,从而导致出现极难调试的缺陷。调用程序应捕获这些异常,以便可以正确地处理错误的序列化/反序列化,而不会出现崩溃或部分构造的对象。
References
[1] SER01-J. Do not deviate from the proper signatures of serialization methods CERT
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
desc.structural.java.code_correctness_incorrect_serializable_method_signature

Code Correctness: Multiple Stream Commits

Abstract
提交 servlet 的输出流之后,重置流缓冲区或执行重新提交该数据流的其他任何操作都是错误的做法。与之类似,在调用 getOutputStream 之后调用 getWriter() 也是错误的做法,反之亦然。
Explanation
转发 HttpServletRequest、重定向 HttpServletResponse 或者刷新 servlet 的输出流缓冲区会导致提交相关的数据流。后续执行的任何缓冲区重置或数据流提交操作,例如额外的刷新或重定向,将会导致出现 IllegalStateException

此外,Java servlets 允许使用 ServletOutputStreamPrintWriter(但不能同时使用)将数据写入响应数据流。调用 getOutputStream() 之后调用 getWriter() 或者反向调用,也会导致出现 IllegalStateException



在运行时,IllegalStateException 会阻止响应处理程序完成运行,轻易地使其中断响应。这会导致服务器不稳定,也间接表明 servlet 实现不正确。

例 1:以下代码会在 servlet 的输出流缓冲区刷新之后重定向其响应。

public class RedirectServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        OutputStream out = res.getOutputStream();
        ...
        // flushes, and thereby commits, the output stream
        out.flush();
        out.close();        // redirecting the response causes an IllegalStateException
        res.sendRedirect("http://www.acme.com");
    }
}
例 2:相反,以下代码在请求转发之后会尝试写入并刷新 PrintWriter 的缓冲区。

public class FlushServlet extends HttpServlet {
    public void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException {
        ...
        // forwards the request, implicitly committing the stream
        getServletConfig().getServletContext().getRequestDispatcher("/jsp/boom.jsp").forward(req, res);
        ...

        // IllegalStateException; cannot redirect after forwarding
        res.sendRedirect("http://www.acme.com/jsp/boomboom.jsp");

        PrintWriter out = res.getWriter();

        // writing to an already-committed stream will not cause an exception,
        // but will not apply these changes to the final output, either
        out.print("Writing here does nothing");

        // IllegalStateException; cannot flush a response's buffer after forwarding the request
        out.flush();
        out.close();
    }
}
References
[1] IllegalStateException in a Servlet - when & why do we get?
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[10] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
desc.controlflow.java.code_correctness_multiple_stream_commits

Code Correctness: Negative Content-Length

Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码将设置不正确的 Content-Length

  URL url = new URL("http://www.example.com");
  HttpURLConnection huc = (HttpURLConnection)url.openConnection();
  huc.setRequestProperty("Content-Length", "-1000");
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
desc.structural.java.api_abuse_code_correctness_negative_content_length
Abstract
Content-Length 头文件设为负值。
Explanation
在大多数情况下,设置 Content-Length 请求标题表示开发者对
发送给服务器的 POST 数据长度感兴趣。但是,此标题应为 0
正整数。

示例 1:以下代码错误地将 Content-Length 头文件设置为负值:

  xhr.setRequestHeader("Content-Length", "-1000");
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 398
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
desc.structural.javascript.api_abuse_code_correctness_negative_content_length

Code Correctness: ToString on Array

Abstract
ToString() 在数组上被调用。
Explanation
大多数情况下,在数组上调用 ToString() 表示开发者希望将数组内容作为字符串返回。然而,在数组上直接调用 ToString() 将返回一个字符串值,它包含该数组的类型。

示例 1:以下代码将输出 System.String[]

String[] stringArray = { "element 1", "element 2", "element 3", "element 4" };
System.Diagnostics.Debug.WriteLine(stringArray.ToString());
References
[1] Class Arrays Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.dotnet.code_correctness_tostring_on_array
Abstract
toString() 在数组上被调用。
Explanation
大多数情况下,在数组上调用 toString() 表示开发者希望将数组内容作为字符串返回。然而,在数组上直接调用 toString() 将返回一个字符串值,它包含内存中该数组的类型和哈希码。
例 1:以下代码将输出 [Ljava.lang.String;@1232121

String[] strList = new String[5];
...
System.out.println(strList);
References
[1] Class Arrays Sun Microsystems
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - Common Weakness Enumeration CWE ID 398
desc.structural.java.code_correctness_tostring_on_array