界: Encapsulation

封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。

104 个项目已找到
弱点

Flash Misconfiguration: Overly Permissive Custom Headers Policy

Abstract
程序定义了一个过于宽松的自定义标头策略。
Explanation
默认情况下,Flash 应用程序需要遵循 Same Origin Policy(同源策略),该策略可确保来自同一个域的两个 SWF 应用程序能够访问彼此的数据。Adobe Flash 允许开发人员通过编程或 crossdomain.xml 配置文件中的相应设置来更改该策略。从 Flash Player 9,0,124,0 开始,Adobe 还引入了定义 Flash Player 可以跨域发送的自定义标头的功能。但是,在定义这些设置时应小心谨慎,因为当过于宽松的自定义标头策略与过于宽松的跨域策略一起应用时,将允许恶意应用程序将其选择的标头发送到目标应用程序,从而可能导致各种攻击,或导致不知道如何处理接收到的标头的应用程序在执行中出现错误。

示例 1:以下配置显示了如何使用通配符指定 Flash Player 可以跨域发送的标头。


  <cross-domain-policy>
    <allow-http-request-headers-from domain="*" headers="*"/>
  </cross-domain-policy>


使用 * 作为 headers 属性的值表明可以跨域发送任何标头。
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.actionscript.flash_misconfiguration_overly_permissive_custom_headers_policy

Flash Misconfiguration: Policy Restrictions Bypass

Abstract
程序利用未经验证的用户输入避开预期的跨域策略限制。
Explanation
默认情况下,Flash 应用程序需要遵循 Same Origin Policy(同源策略),该策略可确保来自同一个域的两个 SWF 应用程序能够访问彼此的数据。Adobe Flash 允许开发人员通过编程或 crossdomain.xml 配置文件中的相应设置来更改该策略。不过,在确定可更改此设置的人时应小心谨慎,如果跨域策略过于宽松,恶意应用程序就能趁机采用不当方式与受害者应用程序进行通信,从而导致发生欺骗、数据被盗、转发及其他攻击。在以下情况下会发生策略限制绕过漏洞:

1. 数据从一个不可信赖的数据源进入应用程序。

2. 数据用于加载或修改跨域策略设置。
示例 1:以下代码会将已加载的 SWF 文件中的一个参数值作为用于加载跨域策略文件的 URL。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var url:String = String(params["url"]);
   flash.system.Security.loadPolicyFile(url);
   ...
示例 2:以下代码会使用已加载的 SWF 文件中的一个参数值来定义可信赖的域列表。


   ...
   var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
   var domain:String = String(params["domain"]);
   flash.system.Security.allowDomain(domain);
   ...
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[13] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[24] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.flash_misconfiguration_policy_restrictions_bypass

Flash Misconfiguration: Unauthorized Data Access

Abstract
程序允许 HTTP 和 HTTPS SWF 应用程序进行通信。
Explanation
从 Flash Player 7 开始,默认情况下通过 HTTP 加载的 SWF 应用程序不允许访问通过 HTTPS 加载的 SWF 应用程序的数据。Adobe Flash 允许开发者通过编程或 crossdomain.xml 配置文件中的相应设置来更改此项限制。不过,定义这些设置时应小心谨慎,因为通过 HTTP 加载的 SWF 应用程序容易受到中间人攻击,所以不应信赖此程序。

示例:以下代码会调用 allowInsecureDomain(),它会取消相关限制,从而允许通过 HTTP 加载的 SWF 应用程序访问通过 HTTPS 加载的 SWF 应用程序中的数据。


   flash.system.Security.allowInsecureDomain("*");
References
[1] Peleus Uhley Creating more secure SWF web applications
[2] Matt Wood and Prajakta Jagdale Auditing Adobe Flash through Static Analysis
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001368, CCI-001414
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000480 CAT II, APSC-DV-000490 CAT II
[40] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.actionscript.flash_misconfiguration_unauthorized_data_access

Go Bad Practices: Leftover Debug Code

Abstract
调试代码可能会影响性能或向攻击者泄漏敏感数据。
Explanation
一种常见的开发实践是添加专用于调试或测试目的的“后门”代码,这些代码不会随应用程序一起发布或部署。当这种类型的调试代码意外地留在应用程序中时,应用程序将暴露于意外的交互模式下。这些后门入口点会产生安全风险,因为在设计或测试期间未考虑这些入口点,且它们不在应用程序的预期操作条件内。
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[5] Standards Mapping - Common Weakness Enumeration CWE ID 489
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[21] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.semantic.golang.go_bad_practices_leftover_debug_code

GraphQL Bad Practices: GraphiQL Enabled

Abstract
创建 GraphQL 端点时启用了 GraphiQL。
Explanation
GraphiQL 是一种浏览器内工具,它利用 GraphQL 架构自检机制为 GraphQL API 开发和测试提供图形界面。GraphiQL 帮助用户探索 GraphQL 架构以及编写和执行 GraphQL 查询。

不建议允许在生产环境中访问 GraphiQL,因为通过 GraphiQL 启用 GraphQL 架构的自检可能会给您的整体安全状况带来风险。攻击者可以利用 GraphiQL 和自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化默认启用了 GraphiQL 的 GraphQL.js 端点:

app.use('/graphql', graphqlHTTP({
    schema
}));
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.javascript.graphql_bad_practices_graphiql_enabled
Abstract
创建 GraphQL 端点时启用了 GraphiQL。
Explanation
GraphiQL 是一种浏览器内工具,它利用 GraphQL 架构自检机制为 GraphQL API 开发和测试提供图形界面。GraphiQL 帮助用户探索 GraphQL 架构以及编写和执行 GraphQL 查询。

不建议允许在生产环境中访问 GraphiQL,因为通过 GraphiQL 启用 GraphQL 架构的自检可能会给您的整体安全状况带来风险。攻击者可以利用 GraphiQL 和自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化启用了 GraphiQL 的 GraphQL 端点:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema,
  graphiql = True
))
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.python.graphql_bad_practices_graphiql_enabled

GraphQL Bad Practices: Introspection Enabled

Abstract
创建 GraphQL 端点时未禁用架构自检。
Explanation
GraphQL 自检功能使任何人都可以查询 GraphQL 服务器,以获取有关当前架构的信息。相关方可以发出 GraphQL 自检查询,以检索架构的可用操作、数据类型、字段和文档等全面信息。

GraphQL 自检在开发和共享有关 GraphQL API 的信息方面可发挥重大作用。自检是 GraphQL 的一项强大功能,可以促进与各种工具的集成。例如,IDE 可以利用架构自检来提供用于开发和测试 GraphQL API 的增强功能。

但是,允许任何人在生产环境中查询 GraphQL 架构可能会给您的整体安全状况带来风险。攻击者可以利用自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化默认启用了架构自检的 Hot Chocolate GraphQL 端点:

    services
        .AddGraphQLServer()
        .AddQueryType<Query>()
        .AddMutationType<Mutation>();
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.structural.dotnet.graphql_bad_practices_introspection_enabled
Abstract
创建 GraphQL 端点时未禁用架构自检。
Explanation
GraphQL 自检功能使任何人都可以查询 GraphQL 服务器,以获取有关当前架构的信息。相关方可以发出 GraphQL 自检查询,以检索架构的可用操作、数据类型、字段和文档等全面信息。

GraphQL 自检在开发和共享有关 GraphQL API 的信息方面可发挥重大作用。自检是 GraphQL 的一项强大功能,可以促进与各种工具的集成。例如,IDE 可以利用架构自检来提供用于开发和测试 GraphQL API 的增强功能。

但是,允许任何人在生产环境中查询 GraphQL 架构可能会给您的整体安全状况带来风险。攻击者可以利用自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化默认启用了架构自检的 GraphQL.js 端点:

app.use('/graphql', graphqlHTTP({
    schema
}));
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dataflow.javascript.graphql_bad_practices_introspection_enabled
Abstract
创建 GraphQL 端点时未禁用架构自检。
Explanation
GraphQL 自检功能使任何人都可以查询 GraphQL 服务器,以获取有关当前架构的信息。相关方可以发出 GraphQL 自检查询,以检索架构的可用操作、数据类型、字段和文档等全面信息。

GraphQL 自检在开发和共享有关 GraphQL API 的信息方面可发挥重大作用。自检是 GraphQL 的一项强大功能,可以促进与各种工具的集成。例如,IDE 可以利用架构自检来提供用于开发和测试 GraphQL API 的增强功能。

但是,允许任何人在生产环境中查询 GraphQL 架构可能会给您的整体安全状况带来风险。攻击者可以利用自检从 GraphQL 架构中获取实现详细信息,从而执行更有针对性的攻击。GraphQL 架构可能会泄漏信息,例如内部使用的字段、描述和弃用说明,这些信息可能不适合公开使用。

示例 1:以下代码将初始化默认启用了架构自检的 GraphQL 端点:

app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema
))
References
[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[7] Standards Mapping - CIS Kubernetes Benchmark partial
[8] Standards Mapping - Common Weakness Enumeration CWE ID 94
[9] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094
[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[14] Standards Mapping - FIPS200 CM
[15] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.dataflow.python.graphql_bad_practices_introspection_enabled

Hardcoded Domain in HTML

Abstract
如果网页包含其他网域的脚本,则意味着此网页的安全取决于其他域的安全。
Explanation
包含来自其他网站的可执行内容是非常危险的。这就会将您站点的安全与其他站点的安全绑在一起。

示例:请考虑以下 script 标签。

  <script src="http://www.example.com/js/fancyWidget.js"></script>


如果此标签出现在 www.example.com 以外的网站中,则该站点将依赖 www.example.com 来运行正确的非恶意代码。如果攻击者可以入侵 www.example.com,则他们可以篡改 fancyWidget.js 的内容,损害站点安全。例如,他们可以将代码添加到 fancyWidget.js 中,窃取用户的机密数据。
desc.content.html.hardcoded_domain