界: Encapsulation

封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。

104 个项目已找到
弱点

System Information Leak: Internal

Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例:以下代码会在屏幕上显示 SAPFTP 版本信息:


...
CALL FUNCTION 'FTP_VERSION'
  ...
  IMPORTING
    EXEPATH     = p
    VERSION     = v
    WORKING_DIR = dir
    RFCPATH     = rfcp
    RFCVERSION  = rfcv
  TABLES
    FTP_TRACE =                 FTP_TRACE.

WRITE: 'exepath: ', p, 'version: ', v, 'working_dir: ', dir, 'rfcpath: ', rfcp, 'rfcversion: ', rfcv.
...


根据选定屏幕的配置,此信息可转储到屏幕,也可以直接发送到打印机。在某些情况下,版本信息正好可以准确地告诉攻击者入侵此系统的可能性有多大。同样,错误消息也可以告诉攻击者入侵此系统的可能性究竟有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.abap.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将堆栈跟踪输出到“Debug”控制台或日志文件:


  try {
    ...
  }
  catch(e:Error) {
    trace(e.getStackTrace());
  }


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息恰好可以告诉攻击者入侵这一系统的可能性究竟有多大。例如,一则数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,搜索路径可能会暗示操作系统的类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.actionscript.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码将一个异常消息写入调试日志:


try {
    ...
} catch (Exception e) {
    System.Debug(LoggingLevel.ERROR, e.getMessage());
}


该错误消息可使攻击者能够制定攻击计划。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.apex.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例 1:下面的代码会构造一个数据库连接字符串,使用它新建一个数据库连接,并将其写入控制台。


string cs="database=northwind;server=mySQLServer...";
SqlConnection conn=new SqlConnection(cs);
...
Console.Writeline(cs);


根据系统配置,此信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dotnet.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例 1:以下代码会将路径环境变量输出到标准错误流:


  char* path = getenv("PATH");
  ...
  fprintf(stderr, "cannot find exe on path %s\n", path);


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息可以准确地告诉攻击者系统容易遭受哪种类型的攻击。例如,一则数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,搜索路径可能会暗示操作系统的类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cpp.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例:下列代码要求对所有任务相关的存储区域、终端控制表和指定的数据区域进行事务转储。


...
EXEC CICS DUMP TRANSACTION
  DUMPCODE('name')
  FROM (data-area)
  LENGTH (data-value)
END-EXEC.
...


依据这一系统配置,该信息可转储到控制台,写成日志文件,或者显示给用户。在某些情况下,该错误消息恰好可以告诉攻击者入侵这一系统的可能性究竟有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cobol.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过打印或日志功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例:以下代码将写入本地文件系统上的文件:


<cfscript>
    try { 
        obj = CreateObject("person"); 
    } 
    catch(any excpt) { 
        f = FileOpen("c:\log.txt", "write"); 
        FileWriteLine(f, "#excpt.Message#");
        FileClose(f);
    }
</cfscript>


将此信息写入日志文件。在某些情况下,该消息准确告诉攻击者这一系统易受何种攻击。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.cfml.system_information_leak_internal
Abstract
揭示系统数据或调试信息可帮助攻击者了解系统并制定攻击计划。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:下面的代码将一个异常写入本地文件:


  final file = await File('example.txt').create();
  final raf = await file.open(mode: FileMode.write);
  final data = String.fromEnvironment("PASSWORD");
  raf.writeString(data);


根据系统配置,此信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。

信息泄漏也是移动计算环境中的一个问题。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.dart.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例 1:以下代码会将路径环境变量输出到标准错误流:


  path := os.Getenv("PATH")
  ...
  log.Printf("Cannot find exe on path %s\n", path)


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型有哪些。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,搜索路径可能会暗示操作系统的类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.golang.system_information_leak_internal
Abstract
揭示系统数据或调试信息可帮助攻击者了解系统并制定攻击计划。
Explanation
当系统数据或调试信息通过套接字或网络连接使程序流向远程机器时,就会发生外部信息泄露。外部信息泄露会暴露有关操作系统、完整路径名、现有用户名或配置文件位置的特定数据,从而使攻击者有机可乘,它比内部信息(攻击者更难访问)泄露更严重。

示例 1:以下代码泄露了 HTTP 响应中的异常信息:


protected void doPost (HttpServletRequest req, HttpServletResponse res) throws IOException {
    ...
    PrintWriter out = res.getWriter();
    try {
        ...
    } catch (Exception e) {
      out.println(e.getMessage());
    }
}


该信息可能会显示给远程用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。

信息泄漏也是移动计算环境中的一个问题。在移动平台上,可以从各种来源下载应用程序,并且可以在同一设备上同时运行这些应用程序。因为恶意软件在银行应用程序附近运行的可能性很高,所以应用程序的作者需要注意消息所包含的信息,这些消息将会发送给在设备上运行的其他应用程序。

示例 2:以下代码可向所有注册的 Android 接收者广播所捕获异常的堆栈跟踪。

...
try {
  ...
} catch (Exception e) {
    String exception = Log.getStackTraceString(e);
    Intent i = new Intent();
    i.setAction("SEND_EXCEPTION");
    i.putExtra("exception", exception);
    view.getContext().sendBroadcast(i);
}
...


这是另一种情况,特定于移动环境。大多数移动设备现在执行的是“近场通信”(NFC) 协议,以便使用无线电通信在设备之间快速共享信息。它在设备极为贴近或互相接触时有效。即使 NFC 的通信范围仅局限于几厘米,也可能发生窃听、修改数据以及各种其他类型的攻击情况,因为 NFC 本身并不能确保通信安全。

示例 3:Android 平台为 NFC 提供了支持。以下代码将创建一条消息,该消息会被发送给所在范围内的其他设备。

...
public static final String TAG = "NfcActivity";
private static final String DATA_SPLITTER = "__:DATA:__";
private static final String MIME_TYPE = "application/my.applications.mimetype";
...
TelephonyManager tm = (TelephonyManager)Context.getSystemService(Context.TELEPHONY_SERVICE);
String VERSION = tm.getDeviceSoftwareVersion();
...
NfcAdapter nfcAdapter = NfcAdapter.getDefaultAdapter(this);
if (nfcAdapter == null)
  return;

String text = TAG + DATA_SPLITTER + VERSION;
NdefRecord record = new NdefRecord(NdefRecord.TNF_MIME_MEDIA,
            MIME_TYPE.getBytes(), new byte[0], text.getBytes());
NdefRecord[] records = { record };
NdefMessage msg = new NdefMessage(records);
nfcAdapter.setNdefPushMessage(msg, this);
...


NFC 数据交换格式 (NDEF) 消息包含类型化数据、URI 或自定义应用程序有效负载。如果该消息包含与应用程序有关的信息(如其名称、MIME 类型或设备软件版本),则此信息可能会泄露给窃听者。
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.java.system_information_leak_external
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将一个异常写入标准错误流:


var http = require('http');
...

http.request(options, function(res){
  ...
}).on('error', function(e){
  console.log('There was a problem with the request: ' + e);
});
...


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.javascript.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将一个异常写入标准错误流:


try {
    ...
} catch (e: Exception) {
    e.printStackTrace()
}


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。

信息泄漏也是移动计算环境中的一个问题。

示例 2:以下代码记录了在 Android 平台上捕获的异常的堆栈跟踪。

...
try {
  ...
} catch (e: Exception) {
    Log.e(TAG, Log.getStackTraceString(e))
}
...
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.kotlin.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。
示例 1:以下代码会将系统信息泄漏到系统日志中:


...
NSString* deviceID = [[UIDevice currentDevice] name];

NSLog(@"DeviceID: %@", deviceID);
...


在移动世界中,当设备丢失或被盗时,就会产生有关维护系统信息的其他方面的忧虑。攻击者一旦拥有 iOS 设备之后,即可通过对设备进行 USB 连接来访问其中的大量数据。iOS 属性列表 (plist) 及 SQLite 数据库等文件很容易访问,可能会泄露个人信息。通常的做法是,不要将相关的隐私信息存储在文件系统中不受保护的位置。

示例 2:下列代码向用户默认值列表中添加了一个 deviceID 条目,并立即将其存储在一个 plist 文件中。


...
NSString* deviceID = [[UIDevice currentDevice] name];

[defaults setObject:deviceID forKey:@"deviceID"];
[defaults synchronize];
...
Example 2 中的代码会将移动设备上的系统信息存储在该设备上一个不受保护的 plist 文件中。尽管许多开发人员认为 plist 文件是存储所有数据的安全位置,但这不是绝对的,特别是涉及到系统信息和隐私问题时,因为 plist 文件可被持有该设备的任何人读取。

依据这一系统配置,该信息可转储到控制台,写成日志文件,或者显示给用户。在某些情况下,这个错误消息正好可以准确地告诉攻击者系统被入侵的可能性有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.objc.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将一个异常写入标准错误流:


<?php
    ...
    echo "Server error! Printing the backtrace";
    debug_print_backtrace();
    ...
?>


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.php.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将一个异常写入标准输出流:


    try:
        ...
    except:
        print(sys.exc_info()[2])


此信息将转储到控制台。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.python.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码会将一个异常写入标准错误流:


...
begin
  log = Logger.new(STDERR)
  ...
rescue Exception
    log.info("Exception: " + $!)
...
end


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。当然,Example 1 还有一个问题就是挽救根 Exception 而不是特定类型或错误/异常,这意味着它将捕获所有异常,从而可能导致其他未考虑到的负面影响。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.ruby.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:以下代码针对标准输出流输出系统信息:


...
println(Properties.osName)
...


根据这一系统配置,该信息可能会转储到控制台、写入日志文件或公开给用户。在某些情况下,该错误消息会告诉攻击者该系统易遭受的确切攻击类型。例如,数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息可以揭示有关该系统的更多间接线索。在Example 1 中,泄露的信息可能会暗示有关操作系统类型、系统上安装了哪些应用程序以及管理员在配置程序时采取了哪些保护措施的信息。
References
[1] Ernst Haselsteiner and Klemens Breitfuss Security in Near Field Communication (NFC): Strengths and Weaknesses
[2] ERR01-J. Do not allow exceptions to expose sensitive information CERT
[3] ENV02-J. Do not trust the values of environment variables CERT
[4] FUNDAMENTALS-4: Establish trust boundaries Oracle
[5] CONFIDENTIAL-1: Purge sensitive information from exceptions Oracle
[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[10] Standards Mapping - CIS Kubernetes Benchmark partial
[11] Standards Mapping - Common Weakness Enumeration CWE ID 497
[12] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[13] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[14] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[19] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[24] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[25] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.scala.system_information_leak_internal
Abstract
揭示系统数据或调试信息有助于攻击者了解系统并制定攻击计划。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。



在移动世界中,当设备丢失或被盗时,就会产生有关维护系统信息的其他方面的忧虑。攻击者一旦拥有 iOS 设备之后,即可通过对设备进行 USB 连接来访问其中的大量数据。iOS 属性列表 (plist) 及 SQLite 数据库等文件很容易访问,可能会泄露个人信息。通常的做法是,不要将相关的隐私信息存储在文件系统中不受保护的位置。

示例:以下代码会将设备标识符打印到系统日志:


let deviceName = UIDevice.currentDevice().name
...
NSLog("Device Identifier: %@", deviceName)


依据这一系统配置,该信息可转储到控制台,写成日志文件,或者显示给用户。在某些情况下,这个错误消息正好可以准确地告诉攻击者系统被入侵的可能性有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他的错误消息可以揭示有关该系统的更多间接线索。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.dataflow.swift.system_information_leak_internal
Abstract
显示系统数据或调试信息使攻击者能够使用系统信息来计划攻击。
Explanation
通过打印或日志记录功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例:以下代码向脚本调试器发送 ASPError 对象,如 Microsoft Script Debugger:


...
Debug.Write Server.GetLastError()
...


在某些情况下,该错误消息恰好可以告诉攻击者入侵这一系统的可能性究竟有多大。例如,一个数据库错误消息可以揭示应用程序容易受到 SQL Injection 攻击。其他错误消息会泄露更多有关系统的间接线索,如操作系统的类型、系统上安装了哪些应用程序,以及管理员在配置应用程序时做了哪些方面的努力。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.2 Sensitive Private Data (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[19] Standards Mapping - OWASP Mobile 2024 M9 Insecure Data Storage
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.vb.system_information_leak_internal

System Information Leak: iOS Property List

Abstract
存储但未受保护的系统信息(例如,明文文件中的设备 ID)会危害系统安全性。揭示系统数据或调试信息可帮助攻击者了解系统并制定攻击计划。
Explanation
通过日志或打印功能将系统数据或调试信息发送到本地文件、控制台或屏幕时,就会发生内部信息泄露。

示例 1:下列 XML 包含有关 plist 文件中存储的设备的系统信息。除存储的其他值外,UDID 键还会存储唯一设备标识符。



<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>systemName</key>
  <string>John's iPhone</string>
  <key>systemInfo</key>
  <dict>
          <key>UDID</key>
          <string>2b6f0cc904d137be2e1730235f5664094b831186</string>
          <key>systemVersion</key>
          <string>4.2</string>
          <key>model</key>
          <string>iPhone</string>
          <key>localizedModel</key>
          <string>iPhone</string>
  </dict>
</dict>
</plist>

Example 1 中的代码会将移动设备中的私人信息存储在该设备上的一个不受支持的 plist 文件中。尽管许多开发人员认为 plist 文件是存储所有数据的安全位置,但这不是绝对的,特别是涉及到系统信息和隐私问题时,因为 plist 文件可被持有该设备的任何人读取。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 497
[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[14] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[18] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.objc.system_information_leak_ios_property_list

System Information Leak: Overly Broad SQL Logging

Abstract
应用程序启用了敏感数据记录,这可能会暴露系统信息或危及用户私人数据。
Explanation
避免在生产系统中记录 SQL 查询。SQL 查询通常包含敏感信息,例如信用卡详细信息或社会保障号码,采用明文形式记录此信息可能会危及信息机密性。

示例 1:以下 Entity Framwork Core 框架代码将 EnableSensitiveDataLogging 选项设置为 true,这使得在数据库命令中使用的应用程序数据包含在日志记录和异常消息中。

    ...
    services.AddDbContext<ApplicationDbContext>(options => {
        options.UseSqlServer(_configuration.GetConnectionString("ApplicationDbConnection"));
        options.EnableSensitiveDataLogging(true);
    });
    ...
References
[1] Microsoft DbContextOptionsBuilder.EnableSensitiveDataLogging Method
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 497
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[12] Standards Mapping - FIPS200 AU
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.dotnet.system_information_leak_overly_broad_sql_logging
Abstract
记录过多 SQL 查询信息可能会暴露系统信息或危及用户私人数据。
Explanation
避免在生产系统中记录 SQL 查询。SQL 查询通常包含敏感信息,例如信用卡详细信息或社会保障号码,采用明文形式记录此信息可能会危及信息机密性。

示例 1:log4j.properties 文件中的以下条目将在 info 级别记录所有查询。

...
log4j.logger.net.sf.hibernate.type=info
log4j.logger.net.sf.hibernate.tool.hbm2ddl=info
...
References
[1] Red Hat Middleware, LLC Hibernate Reference Documentation
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.1
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 497
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[12] Standards Mapping - FIPS200 AU
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.5.6
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective A.2.3 - Cardholder Data Protection
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.system_information_leak_overly_broad_sql_logging

System Information Leak: SignalR Exposed JavaScript Proxy

Abstract
自动生成 JavaScript 代理文件可能会泄露系统信息,因为它们在 Hub 中列出所有暴露的方法。
Explanation
如果不希望在每个用户的 JavaScript 代理文件中包括所有的集线器和方法,您可以禁用自动生成文件。如果有多个集线器和方法,但是不想让每个用户都知道所有的方法时,您可以选择此选项。
References
[1] Introduction to SignalR Security
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 497
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[22] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.dotnet.system_information_leak_signalr_exposed_javascript_proxy

System Information Leak: Spring Boot Actuators Enabled

Abstract
启用 Spring Boot Actuator 可揭示系统数据和调试信息,可能有利于攻击者了解系统并制定攻击计划。
Explanation
Spring Boot Actuators 允许用户监控应用程序并与之交互。目前有多种不同的内置 Actuator,它们通过 HTTP 端点、JMX 乃至远程 shell(SSH 或 Telnet)公开系统数据和调试信息。攻击者可能从这些信息中受益,了解系统并收集可用于攻击应用程序的信息。
References
[1] Spring Boot Reference Guide Spring
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 497
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[12] Standards Mapping - FIPS200 CM
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SI-11 Error Handling (P2)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SI-11 Error Handling
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.system_information_leak_spring_boot_actuators_enabled

System Information Leak: Struts 2

Abstract
揭示系统数据或调试信息可帮助攻击者了解系统并制定攻击计划。
Explanation
当系统数据或调试信息通过输出流或者日志功能流出程序时,就会发生信息泄漏。

在这种情况下,Struts 2 Config Browser 在 Maven pom.xml 文件中配置,因此它是可用的,并且与应用程序一起部署。

Config Browser 插件是一种调试工具,旨在运行时帮助查看应用程序配置。当调试可能与配置问题相关的问题时很有帮助,但暴露细节过多,可能有助于攻击者映射和建模应用程序。
References
[1] Struts Config Browser Plugin Apache Software Foundation
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 497
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[12] Standards Mapping - FIPS200 CM
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SI-11 Error Handling (P2)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SI-11 Error Handling
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.java.system_information_leak_apache_struts2

Trust Boundary Violation

Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。
示例:以下 C# 代码会接受一个 HTTP 请求,并且在检查这个用户是否合法之前,就将 usrname 参数存储在 HTTP 会话对象中。


usrname = request.Item("usrname");
if (session.Item(ATTR_USR) == null) {
    session.Add(ATTR_USR, usrname);
}


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.dotnet.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下 Java 代码接受了一个 HTTP 请求。在 HTTP 会话对象中存储了 usrname 参数以后,再进行检查,以确保该用户已经过了验证。


usrname = request.getParameter("usrname");
if (session.getAttribute(ATTR_USR) != null) {
    session.setAttribute(ATTR_USR, usrname);
}


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[2] FUNDAMENTALS-4: Establish trust boundaries Oracle
desc.dataflow.java.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下代码将一个不可信的项目 (URL) 从 iOS 扩展 JavaScript 脚本传递到 iOS 扩展代码。


var GetURL = function() {};
GetURL.prototype = {
    run: function(arguments) {
        ...
        arguments.completionFunction({ "URL": document.location.href });
    }
    ...        
};
var ExtensionPreprocessingJS = new GetURL;


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[2] FUNDAMENTALS-4: Establish trust boundaries Oracle
desc.dataflow.javascript.trust_boundary_violation
Abstract
在同一数据结构中将可信任数据和不受信任数据混合在一起会导致程序员错误地信任未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不受信任的一边移动到可信任的另一边。

当程序使可信任和不受信任的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信任数据和不受信任数据共同混合在同一数据结构中。

示例:以下 Kotlin 代码接受了一个 HTTP 请求,并在 HTTP 会话对象中存储 usrname 参数,再进行检查以确保该用户已经过了验证。


val usrname: String = request.getParameter("usrname")
if (session.getAttribute(ATTR_USR) != null) {
    session.setAttribute(ATTR_USR, usrname)
}


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[2] FUNDAMENTALS-4: Establish trust boundaries Oracle
desc.dataflow.kotlin.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的一条分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下代码将一个不可信的项目从 iOS 扩展传递到 webview 主机。


#import <MobileCoreServices/MobileCoreServices.h>

- (IBAction)done {
    ...
    [self.extensionContext completeRequestReturningItems:@[untrustedItem] completionHandler:nil];
}


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.objc.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。
示例:以下代码接受了一个 usrname cookie,并且在验证该用户是否合法之前,将该值存储在 HTTP DB 会话中。


...
IF (OWA_COOKIE.get('usrname').num_vals != 0) THEN
usrname := OWA_COOKIE.get('usrname').vals(1);
END IF;
IF (v('ATTR_USR') IS null) THEN
HTMLDB_UTIL.set_session_state('ATTR_USR', usrname);
END IF;
...


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.sql.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下 Python 代码接受了一个 HTTP 请求,并在 HTTP 会话对象中存储 username 参数,再进行检查以确保该用户已经过了验证。


uname = request.GET['username']
request.session['username'] = uname


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.python.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的一条分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下代码将一个不可信的项目从 iOS 扩展传递到 webview 主机。


import MobileCoreServices

@IBAction func done() {
    ...
    self.extensionContext!.completeRequestReturningItems([unstrustedItem], completionHandler: nil)
}


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.swift.trust_boundary_violation
Abstract
在同一数据结构中将可信赖数据和不可信赖数据混合在一起会导致程序员错误地信赖未验证的数据。
Explanation
信任边界可以理解为在程序中划分的分界线。分界线的一边是不可信赖的数据。分界线的另一边则是被认定为是可信赖的数据。验证逻辑的用途是允许数据安全地跨越信任边界 — 从不可信赖的一边移动到可信赖的另一边。

当程序使可信赖和不可信赖的分界线模糊不清时,就会发生 Trust Boundary Violation 漏洞。发生这种错误的最普遍方式是允许可信赖的数据和不可信赖的数据共同混合在同一数据结构中。

示例:以下代码接受了一个 HTTP 请求,它会在 HTTP 会话对象中存储 usrname 参数,然后进行检查以确保该用户已经过了验证。


...
Dim Response As Response
Dim Request As Request
Dim Session As Session
Dim Application As Application
Dim Server As Server
Dim usrname as Variant
Set Response = objContext("Response")
Set Request = objContext("Request")
Set Session = objContext("Session")
Set Application = objContext("Application")

usrname = Request.Form("usrname")
If IsNull(Session("ATTR_USR")) Then
	Session("ATTR_USR") = usrname
End If
...


若不对信任边界进行合理构建及良好维护,则程序员不可避免地会混淆哪些数据已经过验证,哪些尚未经过验证。这种混淆最终会导致某些数据未经验证就加以使用了。
References
[1] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
desc.dataflow.vb.trust_boundary_violation