界: API Abuse

API 就像是呼叫者與被呼叫者之間簽訂的規定。最常見的 API 濫用形式是由呼叫者這一當事方未能遵守此規定所造成的。例如，如果程式在呼叫 chroot() 後無法呼叫 chdir()，即違反規範如何以安全方式變更使用中根目錄的規定。程式庫濫用的另一個好例子是期待被呼叫者向呼叫者傳回值得信賴的 DNS 資訊。在這種情況下，呼叫者是透過對其行為做出某些假設 (傳回值可用於驗證目的) 來濫用被呼叫者 API。另一方也可能違反呼叫者與被呼叫者間的規定。例如，如果編碼器衍生出子類別 SecureRandom 並傳回一個非隨機值，則違反了規定。

Often Misused: Spring Remote Service

Java/JSP

Abstract

遠端服務都是在 Spring 應用程式中設定的。根據預設，這些遠端服務不需要驗證，而且在此項服務傳送進出的資訊都是純文字。這讓攻擊者能夠存取特殊權限操作，或是洩漏敏感資訊。

Explanation

Spring 提供簡單的機制，能將任何 Spring 管理的 bean，都變成透過 RMI、HTTP、Burlap、Hessian 及 JMX 傳輸協定向外部公開的物件。從外部可以呼叫遠端 Spring bean 的任何公用方法，而且在用戶端與遠端物件之間傳遞的資料都是純文字。這些服務的主要問題在於，根據預設，它們都是開放的，而且一開始並沒有提供任何保密性或完整性的保證。

References

[1] Anirvan Chakraborty , Jessica Ditt , Aleksa Vukotic , Jan Machacek ProSpring 2.5

[2] Gary Mak , Daniel Rubio , Josh Long Spring Recipes

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165

[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), SC-3 Security Function Isolation (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-8 Transmission Confidentiality and Integrity

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.10

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4, Requirement 6.5.9

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4, Requirement 6.5.8

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4, Requirement 6.5.8

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4, Requirement 6.5.8

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4, Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4, Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective 6.2 - Sensitive Data Protection, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.4.1 - Web Software Communications

[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[48] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.configuration.java.often_misused_spring_remote_service