界: Time and State
分散式運算與時間和狀態相關。也就是說,為了使多個元件進行通訊,必須共用狀態,並且這一切都需要時間。
大多數的程式設計師將他們的工作擬人化。他們想採用一種控制執行緒來執行整個程式,就像他們必須自己完成這項工作一樣。但是,現代的電腦可以非常快速地切換工作,並且在多核心多 CPU 或分散式系統中,兩個事件可能恰好同時發生。瑕疵急於填補程式設計師在程式執行模型與實際情況之間的差距。這些瑕疵與執行緒、處理序、時間和資訊之間的意外互動有關。這些互動透過共用狀態發生:信號、變數、檔案系統,以及基本上任何可以儲存資訊的項目。
J2EE Bad Practices: Insufficient Session Expiration
Abstract
該方法設定永遠不會過期的階段作業。
Explanation
開啟階段作業時間愈久,攻擊者威脅使用者帳戶的機率就愈大。階段作業仍為作用中時,攻擊者可能會暴力破解使用者密碼、破解使用者的無線加密金鑰,或是從開啟的瀏覽器控制階段作業。如果足夠大量的階段作業正在執行,較長的階段作業逾時時間也會導致無法釋放記憶體,最後造成阻斷服務。
範例 1:以下範例中的程式碼為未活動時間間隔上限設定了負值,導致階段作業無限期地處於作用中狀態。
範例 1:以下範例中的程式碼為未活動時間間隔上限設定了負值,導致階段作業無限期地處於作用中狀態。
...
HttpSession sesssion = request.getSession(true);
sesssion.setMaxInactiveInterval(-1);
...
References
[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2
[2] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5
[3] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1
[4] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality
[5] Standards Mapping - CIS Kubernetes Benchmark partial
[6] Standards Mapping - Common Weakness Enumeration CWE ID 613
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361
[8] Standards Mapping - FIPS200 IA
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[18] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.structural.java.j2ee_bad_practices_insufficient_session_expiration