界: Encapsulation
封裝是要劃定清楚的界限。在網頁瀏覽器中,這可能意味著確保您的行動程式碼不會被其他行動程式碼濫用。在伺服器上,這可能意味著區分經過驗證的資料與未經驗證的資料、區分一個使用者的資料與另一個使用者的資料,或區分允許使用者查看的資料與不允許查看的資料。
Hardcoded Domain in HTML
Abstract
包含其他網域的 script,這表示,這個網頁的安全性依賴另一個網域的安全性。
Explanation
包含另外一個網站中可執行的內容是有風險的。這樣會導致您網站的安全性與另一個網站息息相關。
範例: 請思考以下
如果這個標籤出現在
範例: 請思考以下
script 標籤。
<script src="http://www.example.com/js/fancyWidget.js"></script>
如果這個標籤出現在
www.example.com 以外的網站上,則該網站依賴 www.example.com 提供正確且無惡意的程式碼。如果攻擊者能危害 www.example.com,他們就能修改 fancyWidget.js 的內容來破壞網站的安全性。例如,他們可以新增程式碼至 fancyWidget.js 來竊取使用者的機密資料。References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 494, CWE ID 829
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167
[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.3 Dependency (L1 L2 L3), 14.2.4 Dependency (L2 L3)
[7] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[8] Standards Mapping - OWASP Mobile 2024 M7 Insufficient Binary Protections
[9] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-PLATFORM-2
[10] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094
[11] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II
[25] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Process Validation (WASC-40)
[26] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Process Validation
desc.content.html.hardcoded_domain