界: Security Features

软件安全不是安全软件。此处我们关注的主题包括身份验证、Access Control、机密性、加密和权限管理。

312 个项目已找到
弱点

ASP.NET Misconfiguration: Logging Sensitive Information

Abstract
W3Clogger 中间件配置不当会导致记录敏感信息。
Explanation
可以将 ASP.NET W3Clogger.loggingFields 配置为允许记录敏感数据,例如私有信息和系统信息。
此数据可能包含与 HTTP 请求和 HTTP 响应相关的敏感信息,例如客户端/服务器 IP、服务器端口、标头 Cookie 以及经过验证的用于访问服务器的用户名。

如果发生数据泄露,攻击者可以利用此信息来执行以下操作:

- 窃取敏感信息或冒充具有更高权限的用户。
- 发现内部服务器,获得对受限资源的未授权访问权限。
- 设计专门针对对于检测到的服务器报告的已知漏洞的攻击


示例 1:以下代码显示了已禁用验证的控制器中的操作方法:


  builder.Services.AddW3CLogging(logging =>
    logging.LoggingFields = W3CLoggingFields.All;

    ... )
Example 1 显示如何使用标记 All 配置 W3Clogging,以记录 Http 请求所有可能的字段,包括敏感数据(如 ClientIpAddressServerNameServerIpAddressServerPortUserNameCookie)。
References
[1] Building Secure ASP.NET Pages and Controls Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark partial
[7] Standards Mapping - Common Weakness Enumeration CWE ID 5
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[9] Standards Mapping - FIPS200 CM, SC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.structural.dotnet.asp_dotnet_misconfiguration_logging_sensitive_information

ASP.NET Misconfiguration: Persistent Authentication

Abstract
Persistent authentication 票据使用户容易受到会话劫持攻击。
Explanation
FormsAuthentication.RedirectFromLoginPage() 方法会发布一个 authentication 票据,该票据使用户可以在一段时期内保留经过验证的身份。如果将该方法的第二参数设为 false,则调用该方法时会发布一个临时 authentication 票据,其有效期在 web.config 中配置。如果将第二参数设为 true,该方法就会发布一个 persistent authentication 票据。在 .NET 2.0 中,persistent authentication 票据的有效期就是在 web.config 中配置的值;但在 .NET 1.1 中,persistent authentication 票据的有效期有一个滑稽的默认值 - 50 年。

允许 persistent authentication 票据长时期存在会使用户和系统容易受到以下几种攻击:

对于注销失败的用户,身份验证票据漏洞延长了其暴露在会话劫持攻击下的时间。

持久身份验证票据增加了攻击者猜中正确的会话标识符的机率。

当攻击者成功地劫持了某个用户的会话后,该漏洞将使攻击者有更多的时间来盗取信息。
References
[1] Jeff Prosise The Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls MSDN Magazine
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 302
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185, CCI-001941, CCI-001942
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity
[17] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[21] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[25] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001530 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration_persistent_authentication

ASP.NET Misconfiguration: Unsafe Header Parsing

Abstract
该应用程序会设置一个属性,以在 HTTP 解析期间忽略验证错误。
Explanation
useUnsafeHeaderParsing 设置为 true 可放宽 HTTP 标头处理策略。HTTP 标头验证规则过于宽松可能导致易受攻击的应用程序受到各种攻击。



特别是,当此属性设置为 false 时,将不再强制执行以下验证规则:

在行尾代码中,使用 CRLF;不允许单独使用 CR 或 LF。

标头名称不应包含空格。

如果存在多个状态行,则将所有其他状态行视为格式错误的标头名称/值对。

除状态代码之外,状态行还必须包含状态描述。

标头名称不能包含非 ASCII 字符。无论此属性设置为 true 还是 false,都会执行此验证。

发生协议违规时,抛出 WebException 异常并将状态设置为 ServerProtocolViolation。如果 UseUnsafeHeaderParsing 属性设置为 true,则忽略验证错误。

将此属性设置为 true 存在安全隐患,因此只有在要求与服务器向后兼容时才能使用此设置。


示例 1:在以下示例中,useUnsafeHeaderParsing 会设置为 True。

...
<configuration>
   <system.net>
   <settings>
      <httpWebRequest  useUnsafeHeaderParsing="true" />
   </settings>
   </system.net>
</configuration>
...
References
[1] HttpWebRequestElement.UseUnsafeHeaderParsing Property Microsoft
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[6] Standards Mapping - CIS Kubernetes Benchmark complete
[7] Standards Mapping - Common Weakness Enumeration CWE ID 113
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[19] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[20] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.1 - Web Software Attack Mitigation
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.dotnet.asp_dotnet_misconfiguration_unsafe_header_parsing

ASP.NET Misconfiguration: ViewStateMac Disabled

Abstract
攻击者可以通过禁用视图状态消息身份验证检查 (MAC) 来修改视图状态。
Explanation
在 ASP.NET 中,视图状态是一种在不同回发的 Web 表单中保持状态的机制。视图状态中存储的数据不可信,因为没有防范转发攻击的机制。当禁用视图状态消息身份验证检查时,信任视图状态尤其危险。禁用此检查相当于允许攻击者对视图状态中存储的数据进行任意更改,可能为攻击信任视图状态的代码敞开大门。攻击者可能会利用此类错误阻挠身份验证检查或更改项定价。
References
[1] Understanding ASP.NET View State Microsoft
[2] Michal Zalewski ASP.NET __VIEWSTATE crypto validation prone to replay attacks
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3
[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[7] Standards Mapping - CIS Kubernetes Benchmark complete
[8] Standards Mapping - Common Weakness Enumeration CWE ID 353
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 2.2.3
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 2.2.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 2.2.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 2.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 2.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 2.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 2.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[32] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration.viewstatemac_disabled

ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation

Abstract
控制器操作可以利用防伪验证。
Explanation
ASP.NET MVC 提供一种方便的方式(通过在表单端添加防伪标记并在控制器确认该防伪标记)来更好地保护应用程序以针对跨站点伪装请求。如果使用,该标记通常作为一个隐藏的表单字段并在表单提交时进行确认,这提高了请求是来自您的应用程序的可能性,而不是伪造的。

以下控制器代码不包括针对跨站点伪装请求的内置防范:


public ActionResult ActionName(Model model, string returnurl)
{
  // ... controller logic
}
References
[1] HtmlHelper.AntiForgeryToken Method
[2] ValidateAntiForgeryTokenAttribute Class
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 352
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity
[19] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[20] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[21] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[25] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.dotnet.aspnet_mvc_bad_practices_action_without_antiforgery_validation

ASP.NET MVC Bad Practices: Form Without AntiForgery Token

Abstract
Razor 视图包含表单但是表单上没有防伪标记,因此更容易受到跨站点伪装请求的影响。
Explanation
ASP.NET MVC 提供一种方便的方式(通过在 HTML 表单添加防伪标记并在控制器确认该防伪标记)来更好地保护应用程序以针对跨站点伪装请求。如果使用,该标记通常作为一个隐藏的表单字段并在表单提交时进行确认,这提高了请求是来自您的应用程序的可能性,而不是伪造的。

通常,程序员应该包含该防伪标记,因为它增加了针对应用程序的恶意脚本的成本。

示例 1:以下 Razor 代码将在生成的 HTML 中创建一个表单,但未内置针对 Cross-Site Request Forgery 的防御措施:


@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl })) {
  // ... form elements
}
Example 2::The following Razor code creates a form in the resulting HTML without the built-in defense against cross-site request forgery. Note that parameter antiforgery is set to either false or null:


@using (Html.BeginForm("actionName", "controllerName", routeValues, FormMethod.Post, antiforgery: false, htmlAtts)) {
  // ... form elements
}
References
[1] HtmlHelper.AntiForgeryToken Method
[2] ValidateAntiForgeryTokenAttribute Class
[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete
[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4
[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity
[8] Standards Mapping - CIS Kubernetes Benchmark complete
[9] Standards Mapping - Common Weakness Enumeration CWE ID 352
[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity
[19] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[20] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[21] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[24] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[25] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.controlflow.dotnet.aspnet_mvc_bad_practices_form_without_antiforgery_token

Authentication Bad Practice: Ignored Authentication Method

Abstract
实施 NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理回调方法将使系统忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)NSURLConnectionDelegate.connection(_:didReceive:) 方法。
Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理方法允许代理立即就连接身份验证做出明智的选择。如果代理实施此方法,则无需实施 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)NSURLConnectionDelegate.connection(_:didReceive:)。事实上,这些方法不会被调用,因此将忽略它们的所有安全检查。
References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.objc.authentication_bad_practice_ignored_authentication_method
Abstract
实施 NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理回调方法将使系统忽略 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)NSURLConnectionDelegate.connection(_:didReceive:) 方法。
Explanation
NSURLConnectionDelegate.connection(_:willSendRequestFor:) 代理方法允许代理立即就连接身份验证做出明智的选择。如果代理实施此方法,则无需实施 NSURLConnectionDelegate.connection(_:canAuthenticateAgainstProtectionSpace:)NSURLConnectionDelegate.connection(_:didReceive:)。事实上,这些方法不会被调用,因此将忽略它们的所有安全检查。
References
[1] connection(_:willSendRequestFor:) API documentation Apple
[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1
[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[8] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
desc.structural.swift.authentication_bad_practice_ignored_authentication_method