界: Security Features

軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。

Access Control: ACL Manipulation

Java/JSP

Abstract

應用程式會允許攻擊者操控 AWS S3 儲存貯體或物件上的 Access Control Policy (ACP)。

Explanation

應用程式會允許攻擊者控制授予 AWS S3 儲存貯體或物件的權限。如此將允許攻擊者設定能讓其讀取內容或寫入任意檔案的弱式原則。

範例 1：下列程式碼會使用使用者指定的 Access Control Policy 建立新的儲存貯體。



    String canned_acl = request.getParameter("acl");

    CreateBucketRequest createBucketRequest = CreateBucketRequest.builder()
        .bucket("foo")
        .acl(canned_acl)
        .createBucketConfiguration(CreateBucketConfiguration.builder().locationConstraint(region.id()).build())
        .build();

即使應用程式預期系統會從有限集合中選取 acl 參數，但攻擊者仍可將此參數設為 public-read-write，並授予對儲存貯體的完全匿名存取權。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[5] Standards Mapping - CIS Kubernetes Benchmark partial

[6] Standards Mapping - Common Weakness Enumeration CWE ID 287, CWE ID 359

[7] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200, [13] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200, [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [20] CWE ID 200

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002475

[13] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-28 Protection of Information at Rest (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-28 Protection of Information at Rest

[16] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[17] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[21] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[22] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 8.2.2 Client-side Data Protection (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3), 10.2.1 Malicious Code Search (L2 L3)

[23] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage

[24] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 8.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.6, Requirement 8.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.2, Requirement 3.4, Requirement 4.2, Requirement 6.5.5, Requirement 8.2.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3310 CAT I, APP3340 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002340 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002340 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002340 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002340 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002340 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002340 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002340 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002340 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002340 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002340 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002340 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002340 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002340 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-002340 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.dataflow.java.access_control.acl_manipulation