172 个项目已找到
弱点

ADF Faces Bad Practices: unsecure Attribute

Abstract
unsecure 属性会指定可在客户端上设置值的属性列表。
Explanation
Oracle ADF Faces 组件的属性值通常只能在服务器上设置。但许多组件都允许开发人员定义可在客户端上设置的属性列表。这些组件的 unsecure 属性可以指定此列表。

目前唯一一个可在 unsecure 属性中显示的属性是 disabled,该属性允许客户端定义要启用和禁用的组件。最好不要让客户端控制只应在服务器上设置的属性值。

示例 1:以下代码显示了从用户收集密码信息并使用 unsecure 属性的 inputText 组件。


...
    <af:inputText id="pwdBox"
                  label="#{resources.PWD}"
                  value=""#{userBean.password}
                  unsecure="disabled"
                  secret="true"
                  required="true"/>
...
References
[1] Oracle ADF Faces Tag Reference
[2] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[3] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
desc.structural.java.adf_faces_bad_practices_unsecure_attribute

Android Bad Practices: Use of File Scheme Cookies

Abstract
应用程序允许将 Cookie 用于 file:// 协议,这可能导致不利的安全隐患。
Explanation
根据 RFC 2109,Cookie 严格意义上属于 HTTP 机制。 不应用于除 HTTP 以外的其他协议,包括 file://。 目前还不清楚它们的行为应该是什么,以及适用何种安全分隔规则。 例如,从 Internet 下载到本地磁盘的 HTML 文件是否应与本地安装的任意 HTML 代码共享相同的 Cookie?
References
[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.semantic.java.android_bad_practices_use_of_file_scheme_cookies

Android Bad Practices: Use of Internal APIs

Abstract
应用程序调用内部或隐藏的 API。
Explanation
不建议开发人员使用未记录或隐藏的 API 构建其应用程序。 由于无法保证 Google 未来不会删除或更改这些 API,因此应避免使用它们,并且使用此类方法或字段具有破坏应用程序的较高风险。
References
[1] Google Restrictions on non-SDK interfaces
[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.structural.cpp.android_bad_practices_use_of_internal_apis
Abstract
应用程序调用内部或隐藏的 API。
Explanation
不建议开发人员使用未记录或隐藏的 API 构建其应用程序。 由于无法保证 Google 未来不会删除或更改这些 API,因此应避免使用它们,并且使用此类方法或字段具有破坏应用程序的较高风险。
References
[1] Google Restrictions on non-SDK interfaces
[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
desc.structural.java.android_bad_practices_use_of_internal_apis

Android Bad Practices: Use of Released Camera Resource

Abstract
代码在 Camera 对象释放后对其进行了引用。
Explanation
Camera 对象释放后,代码试图使用该对象。在未重新获取 Camera 对象的情况下任何对该资源的进一步引用都将抛出异常。如果未捕获该异常,可能会导致应用程序崩溃。

示例 1:以下代码使用切换按钮来打开和关闭照相机预览。用户轻按该按钮后,照相机预览停止,并释放照相机资源。但是,如果再按一次该按钮,将调用之前释放的 Camera 对象中的 startPreview()


public class ReuseCameraActivity extends Activity {
  private Camera cam;

  ...
  private class CameraButtonListener implements OnClickListener {
      public void onClick(View v) {
          if (toggle) {
              cam.stopPreview();
              cam.release();
          }
          else {
              cam.startPreview();
          }
          toggle = !toggle;
      }
  }
  ...
}
References
[1] Camera, Android Developers
[2] Standards Mapping - Common Weakness Enumeration CWE ID 416
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [8] CWE ID 416, [12] CWE ID 020, [20] CWE ID 119
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_camera_resource

Android Bad Practices: Use of Released Media Resource

Abstract
代码在 Android 媒体对象释放后对其进行了引用。
Explanation
在媒体对象释放后,代码试图使用该对象。在未重新获取媒体对象的情况下任何对该资源的进一步引用都将抛出异常。如果未捕获该异常,可能会导致应用程序崩溃。

示例 1:以下代码使用暂停按钮来切换媒体播放。用户轻按该按钮后,当前歌曲或视频就会暂停,并将释放照相机资源。但是,如果再按一次该按钮,将调用之前释放的媒体资源中的 start()


public class ReuseMediaPlayerActivity extends Activity {
  private MediaPlayer mp;

  ...
  private class PauseButtonListener implements OnClickListener {
      public void onClick(View v) {
          if (paused) {
              mp.pause();
              mp.release();
          }
          else {
              mp.start();
          }
          paused = !paused;
      }
  }
  ...
}
References
[1] Media Player, Android Developers
[2] Audio Capture, Android Developers
[3] Standards Mapping - Common Weakness Enumeration CWE ID 416
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [8] CWE ID 416, [12] CWE ID 020, [20] CWE ID 119
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[14] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[15] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_media_resource

Android Bad Practices: Use of Released SQLite Resource

Abstract
代码在 Android 数据库处理器释放后对其进行了引用。
Explanation
当 Android SQLite 数据库处理器关闭后,代码仍试图使用它。在未重新建立数据库连接的情况下,对处理器的任何进一步引用都将抛出异常。如果未捕获该异常,可能会导致应用程序崩溃。

示例 1:以下代码可能来自将用户值暂时缓存在内存中、但可调用 flushUpdates() 将这些变化提交到磁盘中的程序。该方法会在将更新写入数据库后正确关闭数据库处理器。然而,当再次调用 flushUpdates() 时,数据库对象会在重新初始化之前被再次引用。


public class ReuseDBActivity extends Activity {
  private myDBHelper dbHelper;
  private SQLiteDatabase db;

  @Override
  public void onCreate(Bundle state) {
      ...
      db = dbHelper.getWritableDatabase();
      ...
  }
  ...

  private void flushUpdates() {
      db.insert(cached_data);     // flush cached data
      dbHelper.close();
  }
  ...
}
References
[1] Data Storage, Android Developers
[2] Standards Mapping - Common Weakness Enumeration CWE ID 416
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [8] CWE ID 416, [12] CWE ID 020, [20] CWE ID 119
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.android_bad_practices_use_of_released_sqlite_resource

ASP.NET Bad Practices: Unminified Code

Abstract
此文件中包含未压缩的 JavaScript。出于性能方面的考虑,Microsoft 建议为包含 JavaScript 库的压缩版本。
Explanation
压缩版本的库通过减少文件大小,改善了包含 JavaScript 文件的应用程序的页面加载时间。压缩指删除不必要的空白、注释、分号、括号、缩短本地变量的名称以及删除无法访问的代码的过程。

例 1:下列 ASPX 代码包含 Microsoft jQuery 库的未压缩版本:


...
<script src="http://applicationserver.application.com/lib/jquery/jquery-1.4.2.js" type="text/javascript"></script>
...
References
[1] Optimizations for Improving Load Times Microsoft
[2] Introduction to CSS Minification Microsoft
[3] Microsoft AJAX Minifier Microsoft
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[8] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[9] Standards Mapping - OWASP Top 10 2010 A1 Injection
[10] Standards Mapping - OWASP Top 10 2013 A1 Injection
[11] Standards Mapping - OWASP Top 10 2017 A1 Injection
[12] Standards Mapping - OWASP Top 10 2021 A03 Injection
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
desc.semantic.dotnet.asp_net_bad_practices_unminified_code

ASP.NET Middleware Out of Order: Default Cookie Configuration

Abstract
应用程序错误地指定了 ASP.NET Cookie 策略中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseCookiePolicy() 方法将 Cookie 策略中间件添加到中间件管道中,从而允许自定义 Cookie 策略。当按所示的错误顺序指定时,程序员声明的任何 Cookie 策略都将被忽略。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 MP, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

Abstract
应用程序错误地指定了默认的 ASP.NET HTTPS 重定向中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseHttpsRedirection() 方法将 HTTPS 重定向中间件添加到中间件管道中,这样可以将不安全的 HTTP 请求重定向到安全的 HTTPS 请求。如果以所示的错误顺序指定,则在通过重定向之前列出的中间件处理请求之前不会发生有意义的 HTTPS 重定向。这样可以使应用程序处理 HTTP 请求后重定向到安全的 HTTPS 连接。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[8] Standards Mapping - FIPS200 SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

Abstract
应用程序错误地指定了 ASP.NET Core 日志记录中间件。
Explanation
未按正确顺序添加到中间件管道的 ASP.NET Core 中间件将无法按预期运行,从而使应用程序面临各种安全问题。

示例 1:UseHttpLogging() 方法将 HTTP 日志记录中间件添加到允许记录中间件组件的中间件管道中。当按所示的错误顺序指定时,在调用 UseHttpLogging() 之前,将不会记录添加到管道中的任何中间件。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...
示例 2:UseWC3Logging() 方法将 W3C 日志记录中间件添加到允许记录中间件组件的中间件管道中。当按所示的错误顺序指定时,在调用 UseWC3Logging() 之前,将不会记录添加到管道中的任何中间件。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

Abstract
控制器操作可能会受益于限制仅接受下列 HTTP 谓词之一:Post、Put、Patch 或 Delete。
Explanation
通过写入、更新或删除修改数据的 ASP.NET MVC 控制器操作可能会受益于限制仅接受下列 HTTP 谓词之一:Post、Put、Patch 或 Delete。这会增加 Cross-Site Request Forgery 的难度,因为意外点击链接不会导致执行操作。

以下控制器操作默认接受任何命令,可能容易受跨站点伪装请求的影响:


public ActionResult UpdateWidget(Model model)
{
  // ... controller logic
}
References
[1] Don't use Delete Links because they create Security Holes
[2] Standards Mapping - Common Weakness Enumeration CWE ID 352
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [4] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.dotnet.aspnet_mvc_bad_practices_action_not_post_only

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

Abstract
模型类拥有需要的属性和不需要的属性,因此可能容易受重复提交攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据超出预期,使用拥有需要属性(标记为 [Required] 属性)和可选的属性(标记为 [Required] 属性)的模型类可能会导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

混合的要求而没有明确指出哪个参数为模型绑定可能表明有针对内部使用的模型属性,但是可以由攻击者控制。

以下代码定义了一种可能的模型类,其中有包含 [Required] 的属性和不包含 [Required] 的属性:


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}


如果有能更改应用程序行为的任何可选参数,那么攻击者可以通过发送一个可选参数请求来真正更改该行为。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] BindAttribute Class
[3] RequiredAttribute Class
[4] Standards Mapping - Common Weakness Enumeration CWE ID 345
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[13] Standards Mapping - OWASP Top 10 2010 A1 Injection
[14] Standards Mapping - OWASP Top 10 2013 A1 Injection
[15] Standards Mapping - OWASP Top 10 2017 A1 Injection
[16] Standards Mapping - OWASP Top 10 2021 A03 Injection
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

Abstract
模型类有要求的不可为空属性,因此可能容易受发布中攻击的影响。
Explanation
如果攻击者传送的请求中包含的数据少于预期,使用有要求的不可为空属性的模型类(标记为 [Required] 属性)可能导致问题。

ASP.NET MVC 框架将尝试捆绑请求参数到模型属性。

如果模型有要求的不可为空属性,而攻击者没有传送需要的参数要求 -- 也就是说,攻击者使用发布中攻击 -- 那么属性将拥有默认值(通常为零),该默认值将满足 [Required] 验证属性。这可能产生不可预期的应用程序行为。

以下代码定义了一种可能的模型类,其中有要求的枚举,不可为空:


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

Abstract
模型类有一个要求的属性,其类型为父模型类的一个可选成员,因此可能会受发布中攻击的影响。
Explanation
如果模型类有要求的属性,并且类型为父模型类的一个可选成员,如果攻击者传送的请求中包含的数据少于预期,可能会受发布中攻击的影响。

ASP.NET MVC 框架将尝试绑定要求参数到模型属性,包括子模型。

如果子模型可选 -- 也就是说,父模型有属性而没有 [Required] 属性 -- 如果攻击者没有传送子模型,那么父模型将有一个 null 值并且子模型要求的字段将不会由模型验证声明。这是发布中攻击的一种表单。

考虑以下模型类定义:


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}


如果攻击者没有传送针对 ParentModel.Child 属性的值,那么 ChildModel.RequiredProperty 属性将有一个未声明的 [Required]。这可能产生无法预期和不良后果。
References
[1] Input Validation vs. Model Validation in ASP.NET MVC
[2] Standards Mapping - Common Weakness Enumeration CWE ID 345
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[11] Standards Mapping - OWASP Top 10 2010 A1 Injection
[12] Standards Mapping - OWASP Top 10 2013 A1 Injection
[13] Standards Mapping - OWASP Top 10 2017 A1 Injection
[14] Standards Mapping - OWASP Top 10 2021 A03 Injection
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.aspnet_mvc_bad_practices_optional_submodel_with_required_property

Biometric Authentication: Missing Operation Message

Abstract
该应用程序在没有给出正当理由的情况下要求用户输入其指纹。
Explanation
根据 Apple 的政策,应用程序始终应向用户说明需要输入指纹的理由。如果未能做到这一点,可能会使用户感到困惑,甚至导致您的应用程序被 AppStore 拒绝。

示例 1:以下代码使用 Touch ID 验证用户,但未能提供正当理由来说明为何需要进行该验证:


    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:nil
        reply:^(BOOL success, NSError *error) {
            if (success) {
                NSLog(@"Auth was OK");
            } 
    }];
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.objc.biometric_authentication_missing_operation_message
Abstract
该应用程序在没有给出正当理由的情况下要求用户输入其指纹。
Explanation
根据 Apple 的政策,应用程序始终应向用户说明需要输入指纹的理由。如果未能做到这一点,可能会使用户感到困惑,甚至导致您的应用程序被 AppStore 拒绝。

示例 1:以下代码使用 Touch ID 验证用户,但未能提供正当理由来说明为何需要进行该验证:


    context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "", reply: { (success, error) -> Void in
        if (success) {
            print("Auth was OK");
        }
        else {
            print("Error received: %d", error!);
        }
    })
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.swift.biometric_authentication_missing_operation_message

Castor Bad Practices: Query Mode Not Read-Only

Abstract
非只读模式的 Castor 查询可能会影响性能。
Explanation
即便 castor 创建了对象的锁定,也不能阻止其他线程对该对象执行读取或写入。另外,与默认的共享模式相比,只读模式的查询的运行速度大约是前者的 7 倍。

例 1:下例指定 SHARED 查询模式,该模式允许读取和写入访问。

results = query.execute(Database.SHARED);
References
[1] ExoLab Group Castor JDO - Best practice
[2] Standards Mapping - Common Weakness Enumeration CWE ID 732
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.structural.java.castor_bad_practices_query_mode_not_read_only

Castor Bad Practices: Unspecified Query Mode

Abstract
该 Castor 查询未明确定义查询模式。
Explanation
默认情况下,Castor 以共享模式执行查询。由于共享模式允许读取访问和写入访问,因此该查询需要采取何种操作并不清楚。如果要在只读上下文中使用该对象,则共享访问会增加不必要的性能负担。

例 1:以下示例未指定查询模式。

results = query.execute();    //missing query mode
References
[1] ExoLab Group Castor JDO - Best practice
[2] Standards Mapping - Common Weakness Enumeration CWE ID 732
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.semantic.java.castor_bad_practices_unspecified_query_mode

Code Correctness: Arithmetic Operation on Boolean

Abstract
该程序对布尔值执行算术运算,这可能不会得到程序员想要的结果。
Explanation
对布尔值执行算术运算可能与对整型值执行运算的操作方式不同,这可能会导致意外的结果。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 480
[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 13.4, Rule 14.3
[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 13.4, Rule 14.3
[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 5-0-13, Rule 6-2-1
[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 7.0.1, Rule 8.14.1, Rule 8.18.2
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.cpp.code_correctness_arithmetic_operation_on_boolean

Code Correctness: Byte Array to String Conversion

Abstract
将字节数组转换为 String 会导致数据丢失。
Explanation
在将字节数组的数据转换为 String 后,没有说明适用字符集外的数据会发生何种变化。这会导致数据丢失,或者在需要二进制数据来确保执行正确的安全措施时,安全级别降低。

示例 1:以下代码将数据转换为字符串,以便创建散列值。


  ...
  FileInputStream fis = new FileInputStream(myFile);
  byte[] byteArr = byte[BUFSIZE];
  ...
  int count = fis.read(byteArr);
  ...
  String fileString = new String(byteArr);
  String fileSHA256Hex = DigestUtils.sha256Hex(fileString);
  // use fileSHA256Hex to validate file
  ...


如果文件的大小小于 BUFSIZE,只要 myFile 中的信息已编码为与默认字符集相同,此方式就会很有用。但是,如果使用不同的编码方式,或者为二进制文件,则信息将会丢失。进而导致生成的 SHA 散列值的可靠性降低,并且也将更容易产生冲突,在默认字符集外的数据由相同的值(如问号)表示时,尤其如此。
References
[1] STR03-J. Do not encode noncharacter data as a string CERT
[2] When 'EFBFBD' and Friends Come Knocking: Observations of Byte Array to String Conversions GDS Security
[3] Standards Mapping - Common Weakness Enumeration CWE ID 486
desc.semantic.java.code_correctness_byte_array_to_string_conversion

Code Correctness: Call to GC.Collect()

Abstract
显式的调用垃圾回收机制可以预示系统性能可能出现的问题。
Explanation
几乎所有的 .NET 开发人员都会遇到过这样的情况,有时候某个问题看上去十分蹊跷、捉摸不透,似乎只能把原因归结到垃圾回收机制上。特别是当问题与 time and state 相关时,我们可以根据经验进行推断,并找到支持这一理论的根据:插入对 GC.Collect() 的调用似乎可以使问题迎刃而解。

在我们遇到的绝大多数情况中,调用 GC.Collect() 并非什么好方法。事实上,过于频繁地调用 GC.Collect() 会带来性能问题。
References
[1] Scott Holden The perils of GC.Collect()
[2] Rico Mariani Performance Tidbits
[3] Standards Mapping - Common Weakness Enumeration CWE ID 664
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[7] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[9] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[10] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[33] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.structural.dotnet.code_correctness_call_to_gc_collect