229 找到的項目
弱點

.NET Attribute Misuse: Authorization Bypass

Abstract
應用程式在類別或方法層級使用 [AllowAnonymous] 屬性略過 [Authorize] 屬性授予的授權。
Explanation
ASP.NET Core 透過將 [Authorize] 屬性新增到類別或方法,允許應用程式動作要求授權。此外,應用程式類別或方法的指定授權需求也可以透過新增 [AllowAnonymous] 屬性予以略過。當 [AllowAnonymous] 屬性和 [Authorize] 屬性兩者都指定時,會以前者為優先,並略過後者。這可能導致攻擊者對敏感資料和動作進行任意且匿名的存取。

範例 1:以下範例顯示類別層級的 [AllowAnonymous] 屬性覆寫在方法上設定的 [Authorize] 屬性。secretAction() 方法不需要授權,儘管有 [Authorize] 屬性。


...
[AllowAnonymous]
public class Authorization_Test
{
    [Authorize]
    public IActionResult secretAction()
    {
        
    }
}
...
範例 2:以下範例顯示超級類別之類別層級的 [AllowAnonymous] 屬性覆寫在子類別方法上設定的 [Authorize] 屬性。由於繼承的類別 Inherit_AA 具有 [AllowAnonymous] 屬性,因此儘管指定了 [Authorize] 屬性, secretAction() 方法也不需要授權。


...
[AllowAnonymous]
public abstract class Inherit_AA
{
    
}

public class Authorization_Test:Inherit_AA
{
    [Authorize]
    public IActionResult secretAction()
    {
        
    }
}
...
範例 3:下面顯示 [AllowAnonymous] 屬性覆寫在方法層級上具有繼承的 [Authorize] 屬性。由於繼承的方法 secretAction() 具有 [AllowAnonymous] 屬性,因此儘管在覆寫方法上指定了 [Authorize] 屬性,secretAction() 方法也不需要授權。


...
public abstract class Inherit_AA
{
    [AllowAnonymous]
    public abstract IActionResult secretAction()
    {
        
    }
}

public class Authorization_Test:Inherit_AA
{
    [Authorize]
    public override IActionResult secretAction()
    {
        
    }
}
...
References
[1] Rick Anderson et al. Simple authorization in ASP.NET Core Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 862, CWE ID 285
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [11] CWE ID 862
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[9] Standards Mapping - FIPS200 AC
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3), 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.dotnet.dotnet_attribute_misuse_authorization_bypass

.NET Bad Practices: Leftover Debug Code

Abstract
除錯程式碼可能會在部署中產生非預期的負面影響。
Explanation
使用僅用於除錯用途的 API。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 489
[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

Access Control: Anonymous LDAP Bind

Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的記錄。
Explanation
若未經 authentication 便在匿名連結下有效地執行 LDAP 查詢,會讓攻擊者濫用低階配置的 LDAP 環境。

範例 1:以下程式碼使用匿名連結建立 DirectoryEntry de


...
de = new DirectoryEntry("LDAP://ad.example.com:389/ou=People,dc=example,dc=com");
...


所有針對 de 的 LDAP 查詢會在未經 authentication 和 access control 的情況下執行。攻擊者可能會以意想不到的方式來操縱其中的一個查詢,以取得原本應受目錄的 access control 機制所保護的記錄。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 285
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_anonymous_ldap_bind
Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的記錄。
Explanation
若未經 authentication 便在匿名連結下有效地執行 LDAP 查詢,會讓攻擊者濫用低階配置的 LDAP 環境。

範例 1:以下程式碼是使用 ldap_simple_bind_s() 匿名捆綁一個 LDAP 目錄。


...
rc = ldap_simple_bind_s( ld, NULL, NULL );
  if ( rc != LDAP_SUCCESS ) {
    ...
  }
...


所有針對 ld 的 LDAP 查詢會在未經 authentication 和 access control 的情況下執行。攻擊者可能會以意想不到的方式來操縱其中的一個查詢,以取得原本應受目錄的 access control 機制所保護的記錄。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 285
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_anonymous_ldap_bind
Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的記錄。
Explanation
若未經 authentication 便在匿名連結下有效地執行 LDAP 查詢,會讓攻擊者濫用低階配置的 LDAP 環境。

範例 1:以下程式碼使用匿名連結建立 DirContext ctx


...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
...


所有針對 ctx 的 LDAP 查詢會在未經 authentication 和 access control 的情況下執行。攻擊者可能會以意想不到的方式來操縱其中的一個查詢,以取得原本應受目錄的 access control 機制所保護的記錄。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 285
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_anonymous_ldap_bind
Abstract
若沒有適當的 Access Control,執行包含使用者控制之值的 LDAP 陳述式可讓攻擊者存取未經授權的記錄。
Explanation
在匿名繫結下執行 LDAP 查詢,可讓攻擊者在未經驗證的情況下有效濫用配置不當的 LDAP 環境。

範例 1:如果使用者輸入空白密碼,以下程式碼將會建立匿名繫結。


...
$ldapbind = ldap_bind ($ldap, $dn, $password = "" );
...


透過此連線執行的所有後續 LDAP 查詢,就可以在沒有驗證和 Access Control 之下直接執行。攻擊者可能會以意想不到的方式操縱這些查詢之一,以取得對記錄的存取權,否則這些記錄將受到目錄 Access Control 機制的保護。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 285
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-001084, CCI-002165
[4] Standards Mapping - FIPS200 AC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), IA-8 Identification and Authentication (Non-Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[10] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-001870 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.semantic.php.access_control_anonymous_ldap_bind

Access Control: Database

Abstract
若沒有適當的存取控制,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1: 以下程式碼使用依賴整數的指令,因此不容易受到 SQL injection 弱點的攻擊,可用來建立並執行 SQL 查詢以搜尋符合特定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


DATA: id TYPE i.
...
id = request->get_form_field( 'invoiceID' ).

CONCATENATE `INVOICEID = '` id `'` INTO cl_where.
SELECT *
    FROM invoices
    INTO CORRESPONDING FIELDS OF TABLE itab_invoices
    WHERE (cl_where).
ENDSELECT.
...


問題是開發人員沒有考慮到所有可能的 ID 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.abap.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


        ...
        var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
        var id:int = int(Number(params["invoiceID"]));
        var query:String = "SELECT * FROM invoices WHERE id = :id";

        stmt.sqlConnection = conn;
        stmt.text = query;
        stmt.parameters[":id"] = id;
        stmt.execute();
        ...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.actionscript.access_control_database
Abstract
如果沒有適當的存取控制,執行可能包含使用者提供的主要金鑰的 SOQL/SOSL 陳述式,可讓攻擊者檢視未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SOQL/SOSL 查詢中主要金鑰的值。
範例 1:在以下程式碼範例中,inputID 值來自於預先定義的清單,而繫結變數可協助防止 SOQL/SOSL injection。


...
result = [SELECT Name, Phone FROM Contact WHERE (IsDeleted = false AND Id=:inputID)];
...


上述範例存在的問題是,使用預先定義的 ID 清單不足以阻止使用者修改 inputID 的值。如果攻擊者能夠略過介面並使用其他值傳送要求,便可存取其他聯絡人資訊。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求聯絡人的權限,所以即使該使用者未獲得查看的授權,程式碼也會顯示任何聯絡人。
References
[1] Salesforce Developers Technical Library Secure Coding Guidelines - Authorization and Access Control
[2] Salesforce Developers Technical Library Testing CRUD and FLS Enforcement
[3] Salesforce Developers Technical Library Enforcing CRUD and FLS
[4] Standards Mapping - Common Weakness Enumeration CWE ID 566
[5] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.apex.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 LINQ 指令,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。

2. 此資料用來指定位於 LINQ 查詢中主要關鍵字的值。
範例 1:以下程式碼執行 LINQ 查詢以搜尋符合指定識別碼 [1] 的清單。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...

int16 id = System.Convert.ToInt16(invoiceID.Text);
var invoice = OrderSystem.getInvoices()
	.Where(new Invoice { invoiceID = id });
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_linq
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
CMyRecordset rs(&dbms);
rs.PrepareSQL("SELECT * FROM invoices WHERE id = ?");
rs.SetParam_int(0,atoi(r.Lookup("invoiceID").c_str()));
rs.SafeExecuteSQL();
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化指令,避開中繼字元的使用且避免 SQL injection 的弱點,用來建立並執行 SQL 查詢以搜尋符合特定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
ACCEPT ID.
EXEC SQL
    DECLARE C1 CURSOR FOR
    SELECT INVNO, INVDATE, INVTOTAL
    FROM INVOICES
    WHERE INVOICEID = :ID
END-EXEC.
...


問題是開發人員沒有考慮到所有可能的 ID 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cobol.access_control_database
Abstract
如果沒有適當的存取控制,執行包含使用者控制的資料庫名稱的 deleteDatabase 方法可能會允許攻擊者刪除任何資料庫。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定資料庫名稱的值。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 566
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dart.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制之主要金鑰的 SQL 陳述式可讓攻擊者存取未經授權的記錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1.資料從一個不可信賴的來源進入程式。


2.此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式,避開中繼字元並防止 SQL injection 弱點,用來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
id := request.FormValue("invoiceID")
query := "SELECT * FROM invoices WHERE id = ?";
rows, err := db.Query(query, id)
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 566
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.golang.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
id = Integer.decode(request.getParameter("invoiceID"));
String query = "SELECT * FROM invoices WHERE id = ?";
PreparedStatement stmt = conn.prepareStatement(query);
stmt.setInt(1, id);
ResultSet results = stmt.execute();
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。

有人認為在行動環境中,典型的 Web 應用程式弱點 (例如資料庫 Access Control 錯誤) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 2:以下程式碼改寫 Example 1 以適用於 Android 平台。


...
        String id = this.getIntent().getExtras().getString("invoiceID");
        String query = "SELECT * FROM invoices WHERE id = ?";
        SQLiteDatabase db = this.openOrCreateDatabase("DB", MODE_PRIVATE, null);
        Cursor c = db.rawQuery(query, new Object[]{id});
...


有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


	...
	var id = document.form.invoiceID.value;
	var query = "SELECT * FROM invoices WHERE id = ?";
	db.transaction(function (tx) {
		tx.executeSql(query,[id]);
		}
	)
	...



問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.javascript.access_control_database
Abstract
若沒有適當的 Access Control,識別的方法可以執行 SQL 陳述式,其中包含了攻擊者控制的主要金鑰,可讓攻擊者存取未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不受信任的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...

        NSManagedObjectContext *context = [appDelegate managedObjectContext];
        NSEntityDescription *entityDesc = [NSEntityDescription entityForName:@"Invoices" inManagedObjectContext:context];
        NSFetchRequest *request = [[NSFetchRequest alloc] init];
        [request setEntity:entityDesc];
        NSPredicate *pred = [NSPredicate predicateWithFormat:@"(id = %@)", invoiceId.text];
        [request setPredicate:pred];

        NSManagedObject *matches = nil;
        NSError *error;
        NSArray *objects = [context executeFetchRequest:request error:&error];

        if ([objects count] == 0) {
                 status.text = @"No records found.";
        } else {
                matches = [objects objectAtIndex:0];
                invoiceReferenceNumber.text = [matches valueForKey:@"invRefNum"];
                orderNumber.text = [matches valueForKey:@"orderNumber"];
                status.text = [NSString stringWithFormat:@"%d records found", [objects count]];
        }
        [request release];
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.objc.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


        ...
	$id = $_POST['id'];
	$query = "SELECT * FROM invoices WHERE id = ?";
	$stmt = $mysqli->prepare($query);
	$stmt->bind_param('ss',$id);
	$stmt->execute();
        ...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。

有許多現代的 Web 架構提供執行使用者輸入驗證的機制 (包括 Struts 和 Struts 2)。為了突顯未驗證的輸入來源,Fortify 安全編碼檢查規則會降低 Fortify Static Code Analyzer 所報告之問題的攻擊可能性,並在使用框架驗證機制時提供支援證據的指標,以動態重新排列其優先順序。我們將此功能稱為「內容相關性排名」。為了進一步協助 Fortify 使用者進行稽核程序,Fortify Software 安全研發團隊提供了資料驗證專案範本,該範本會依據套用到其輸入來源的驗證機制,按資料夾對問題進行分組。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.php.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。

2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


procedure get_item (
itm_cv IN OUT ItmCurTyp,
id in varchar2)
is
open itm_cv for ' SELECT * FROM items WHERE ' ||
'invoiceID = :invid' ||
     	using id;
end get_item;


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.sql.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
id = request.POST['id']
c = db.cursor()
stmt = c.execute("SELECT * FROM invoices WHERE id = %s", (id,))
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.python.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
id = req['invoiceID'].respond_to(:to_int)
query = "SELECT * FROM invoices WHERE id=?"
stmt = conn.prepare(query)
stmt.execute(id)
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.ruby.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制之主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1: 以下程式碼使用參數化陳述式,避開中繼字元並防止 SQL injection 弱點,用來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。 此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


  def searchInvoice(value:String) = Action.async { implicit request =>
    val result: Future[Seq[Invoice]] = db.run {
      sql"select * from invoices where id=$value".as[Invoice]
    }
    ...
  }


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.scala.access_control_database
Abstract
若沒有適當的 Access Control,識別的方法可以執行 SQL 陳述式,其中包含了攻擊者控制的主要金鑰,可讓攻擊者存取未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不受信任的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


...
let fetchRequest = NSFetchRequest()
let entity = NSEntityDescription.entityForName("Invoices", inManagedObjectContext: managedContext)
fetchRequest.entity = entity
let pred : NSPredicate = NSPredicate(format:"(id = %@)", invoiceId.text)
fetchRequest.setPredicate = pred
do {
    let results = try managedContext.executeFetchRequest(fetchRequest)
    let result : NSManagedObject = results.first!
    invoiceReferenceNumber.text = result.valueForKey("invRefNum")
    orderNumber.text = result.valueForKey("orderNumber")
    status.text = "\(results.count) records found"
} catch let error as NSError {
    print("Error \(error)")
}
...


問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.swift.access_control_database
Abstract
若沒有適當的 Access Control,執行包含使用者控制的主要金鑰的 SQL 陳述式,可讓攻擊者查看未經授權的記錄。
Explanation
在以下情況會發生資料庫存取控制錯誤:

1. 資料從一個不可信賴的來源進入程式。


2. 此資料用來指定位於 SQL 查詢中主要金鑰的值。
範例 1:以下程式碼使用參數化陳述式 (不但可避開中繼字元的使用,而且可以防止 SQL injection 弱點),來建構並執行 SQL 查詢以搜尋符合指定識別碼的清單 [1]。此識別碼是從與目前驗證的使用者有關聯的所有清單中所選取。


	...
	id = Request.Form("invoiceID")
	strSQL = "SELECT * FROM invoices WHERE id = ?"
	objADOCommand.CommandText = strSQL
	objADOCommand.CommandType = adCmdText
	set objADOParameter = objADOCommand.CreateParameter("id" , adString, adParamInput, 0, 0)
	objADOCommand.Parameters("id") = id
	...



問題是開發人員沒有考慮到所有可能的 id 值。雖然介面會產生屬於目前使用者的清單識別碼清單,但攻擊者可能略過此介面以要求任何想要的清單。因為此範例中的程式碼沒有檢查以確保使用者擁有存取所要求清單的權限,所以即使清單不屬於目前使用者,程式碼也會顯示所有清單。
References
[1] S. J. Friedl SQL Injection Attacks by Example
[2] Standards Mapping - Common Weakness Enumeration CWE ID 566
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-23 Data Mining Protection (P0), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-23 Data Mining Protection, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.4.2 GraphQL and other Web Service Data Layer Security Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.vb.access_control_database

Access Control: Form Authentication Bypass

Abstract
應用程式設定的屬性會允許未經驗證輸入至原生 API,且可能會導致攻擊者能夠避開驗證。
Explanation
依預設,在驗證程序期間,ASP.NET 表單驗證會先驗證使用者的憑證,然後再將其傳遞至原生 API。問題是,此功能可透過使用 aspnet:UseLegacyFormsAuthenticationTicketCompatibility 設定進行修改,以允許未經驗證的輸入傳遞至原生 API,且可能導致攻擊者能夠避開驗證。成功攻擊此弱點的攻擊者無需密碼,即能夠避開針對任何已知使用者名稱的 ASP.NET 表單驗證。然後,攻擊者能夠以受害使用者的名義採取任何動作,包括在網站上執行任意指令。

範例 1:在以下範例中,aspnet:UseLegacyFormsAuthenticationTicketCompatibility 設定為 true

...
  <appSettings>
    <add key="aspnet:UseLegacyFormsAuthenticationTicketCompatibility" value="true" />
  </appSettings>
...
References
[1] ASP.NET appSettings Element Microsoft
[2] Microsoft Security Bulletin MS11-100 - Critical Microsoft
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [9] CWE ID 862
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3610 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3610 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3610 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3610 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.configuration.dotnet.access_control_form_authentication_bypass

Access Control: LDAP

Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的目錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。

2. 資料用在 LDAP 查詢中指定資料值。
範例 1:目前已驗證的使用者的員工識別碼,會隨著每個用戶端介面的要求自動傳遞。以下的程式碼在使用員工名稱建立 LDAP 查詢之前,使用了允許清單適當地驗證此員工名稱。此驗證避免了 LDAP injection 弱點,但仍可能留下程式碼弱點。


static string AllowlistVerify(string name) {
    Regex pattern = new Regex(@"^[a-zA-Z\-\.']+$");
    if (pattern.IsMatch(name)) {
        return name;
    }
    return null;
}

...
string verifiedName = AllowlistVerify(managerName.Text.trim());
if(verifiedName != null) {
    DirectorySearcher src = new DirectorySearcher("(manager=" + verifiedName + ")");
    src.SearchRoot = de;
    src.SearchScope = SearchScope.Subtree;

    foreach(SearchResult res in src.FindAll()) {
        ...
    }
}


問題是開發人員未考慮到,如果攻擊者提供可替代 empName 的值,會發生什麼情況。儘管介面自動傳遞目前使用者的員工識別碼,但是攻擊者仍可能在惡意要求傳遞其他代替目前識別碼的值。因為此範例中的程式碼是在匿名連結下執行查詢,所以不管目前驗證的使用者身份如何,它都會將任何有效的員工識別碼傳回目錄項目中。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 639
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.dotnet.access_control_ldap
Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的目錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。

2. 資料用在 LDAP 查詢中指定資料值。
範例 1:以下程式碼在使用員工名稱建立 LDAP 查詢之前,使用了允許清單驗證從通訊端讀取的員工名稱。此驗證避免了 LDAP injection 弱點,但仍可能留下程式碼弱點。


char* allowlist_verify(char* name) {
    const char *error;
    int errOffset;
    char* regex = "^[a-zA-Z\\-\\.']+$";
    pcre* re = pcre_compile(regex, 0, &err, &errOffset, NULL);
    int rc = pcre_exec(re, NULL, name, strlen(name), 0, 0, NULL, 0);
    if (rc == 1)
        return name;
    return NULL;
}
...
fgets(managerName, sizeof(managerName), socket);
char* verified_name = allowlist_verify(managerName);
if(verified_name != NULL) {
    snprintf(filter, sizeof(filter), "(manager=%s)", verified_name);
    if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
            filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
            LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
    ...
    }
}


問題是開發人員未考慮到,如果攻擊者提供可替代 username 的值,會發生什麼情況。因為此範例中的程式碼是在匿名連結下執行查詢,所以不管目前驗證的使用者身份如何,它都會將任何有效的員工識別碼傳回目錄項目中。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 639
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.cpp.access_control_ldap
Abstract
若沒有適當的 Access Control,執行包含使用者控制值的 LDAP 指令,可讓攻擊者查看未經授權的目錄。
Explanation
在以下情況會發生資料庫 Access Control 錯誤:

1. 資料從一個不可信賴的來源進入程式。

2. 資料用在 LDAP 查詢中指定資料值。
範例 1:目前已驗證的使用者的員工識別碼,會隨著每個用戶端介面的要求自動傳遞。以下的程式碼在使用員工識別碼建立 LDAP 查詢之前,使用了安全名單適當地驗證此員工識別碼。此驗證避免了 LDAP injection 弱點,但仍可能留下程式碼弱點。


...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);

String empID = request.getParameter("empID");

try
{
  int id = Integer.parseInt(empID);

  BasicAttribute attr = new BasicAttribute("empID", empID);

  NamingEnumeration employee =
            ctx.search("ou=People,dc=example,dc=com",attr);
...



問題是開發人員未考慮到,如果攻擊者提供可替代 empID 的值,會發生什麼情況。儘管介面自動傳遞目前使用者的員工識別碼,但是攻擊者仍可能在惡意要求傳遞其他代替目前識別碼的值。因為此範例中的程式碼是在匿名連結下執行查詢,所以不管目前驗證的使用者身份如何,它都會將任何有效的員工識別碼傳回目錄項目中。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 639
[2] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.2 General Access Control Design (L1 L2 L3), 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[11] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.dataflow.java.access_control_ldap

ASP.NET Bad Practices: Compression Over Encrypted WebSocket Connection

Abstract
應用程式啟用了危險的壓縮。
Explanation

該應用程式使用啟用 Permessage-deflate WebSocket 擴充功能的程式碼,允許透過加密連線進行壓縮。啟用這種類型的壓縮後,會使應用程式可能遭受 CRIME 和 BREACH 類型的攻擊。

範例 1:以下程式碼將 DangerousEnableCompression 設定為 true,以啟用 'per-message-deflate' 擴充功能:

    app.Run(async context => {
        using var websocket = await context.WebSockets.AcceptWebSocketAsync(new WebSocketAcceptContext() { DangerousEnableCompression = true });
        await websocket.SendAsync(...);
        await websocket.ReceiveAsync(...);
        await websocket.CloseAsync(WebSocketCloseStatus.NormalClosure, null, default);
    });
範例 2:以下程式碼使用 DangerousDeflateOptions 設定 'per-message-deflate' 擴充功能的選項:

    using ClientWebSocket ws = new() {
        Options = {
            CollectHttpResponseDetails = true,
            DangerousDeflateOptions = new WebSocketDeflateOptions() {
                ClientMaxWindowBits = 10,
                ServerMaxWindowBits = 10
            }
        }
    };
References
[1] WebSocketAcceptContext DangerousEnableCompression Property, Microsoft
[2] ClientWebSocketOptions DangerousDeflateOptions Property, Microsoft
[3] CRIME, CVE
[4] BREACH, CVE
[5] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3)
[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[10] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II, APP3150.1 CAT II
[11] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II, APP3150.1 CAT II
[12] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II, APP3150.1 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II, APP3150.1 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II, APP3150.1 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II, APP3150.1 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II, APP3150.1 CAT II
desc.semantic.dotnet.asp_dotnet_bad_practices_compression_over_encrypted_websocket_connection

ASP.NET Bad Practices: Non-Serializable Object Stored in Session

Abstract
將不可序列化的物件當作 HttpSessionState 屬性儲存,會破壞應用程式的可靠性。
Explanation
根據預設,ASP.NET 伺服器會儲存 HttpSessionState 物件,以及在記憶體中它參照的屬性和任何物件。此模型會將作用中的階段作業狀態限制為,僅由單一機器的系統記憶體來提供。為了擴充這些限制的容量,要頻繁的配置伺服器以維持階段作業狀態資訊,如此不僅可擴充容量,還可在多台機器上進行複製以增進整體的效能。為了要維持其階段作業狀態,伺服器必須序列化 HttpSessionState 物件,此作業要求所有儲存在伺服器中的物件皆為可序列化的。

為了使階段作業能夠正確的進行序列化,所有應用程式儲存為階段作業屬性的物件必須聲明 [Serializable] 屬性。此外,如果物件要求自訂的序列化方法,它還必須執行 ISerializable 介面。

範例 1:以下的類別把自己新增至階段作業中,但因為它不可序列化,這個階段作業也就不能正確也序列化。


public class DataGlob {
   String GlobName;
   String GlobValue;

   public void AddToSession(HttpSessionState session) {
     session["glob"] = this;
   }
}
References
[1] Session State Providers Microsoft Corporation
[2] Underpinnings of the Session State Implementation in ASP.NET Microsoft Corporation
[3] Standards Mapping - Common Weakness Enumeration CWE ID 579
[4] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[5] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[6] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[7] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[8] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[9] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[10] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
desc.structural.dotnet.asp_dotnet_bad_practices_non_serializable_object_stored_in_session

ASP.NET Bad Practices: Unminified Code

Abstract
此檔案中包含尚未精簡的 JavaScript。為了提升效能,Microsoft 建議檔案中應包括 JavaScript 程式庫的精簡版本。
Explanation
藉由縮小檔案大小進行精簡,可提升應用程式中有 JavaScript 檔案頁面的讀取時間。精簡表示移除非必要內容的程序,這些內容包括空白字元、註解、分號、括號、縮短本機變數的名稱及移除無法取得的程式碼。

範例 1:下列 ASPX 程式碼包含 Microsoft jQuery 程式庫的未精簡版本:


...
<script src="http://applicationserver.application.com/lib/jquery/jquery-1.4.2.js" type="text/javascript"></script>
...
References
[1] Optimizations for Improving Load Times Microsoft
[2] Introduction to CSS Minification Microsoft
[3] Microsoft AJAX Minifier Microsoft
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)
[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[7] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[8] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution
[9] Standards Mapping - OWASP Top 10 2010 A1 Injection
[10] Standards Mapping - OWASP Top 10 2013 A1 Injection
[11] Standards Mapping - OWASP Top 10 2017 A1 Injection
[12] Standards Mapping - OWASP Top 10 2021 A03 Injection
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[14] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
desc.semantic.dotnet.asp_net_bad_practices_unminified_code

ASP.NET Bad Practices: Unvalidated Web API Model

Abstract
接收模型的 ASP.NET Web API 動作方法應檢查是否通過模型驗證,防止出現由於未檢查輸入而導致的弱點。
Explanation
在 ASP.NET Web API 服務中,未經驗證的輸入是弱點產生的主因之一。未經檢查的輸入資料會導致許多弱點的產生,包括 Cross-Site Scripting、Process Control、Access Control 和 SQL injection。雖然 ASP.NET Web API 服務在通常情況下不容易因記憶體損壞攻擊而受到影響,但是如果 ASP.NET Web API 服務呼叫未執行陣列界限檢查的本地程式碼,攻擊者就能夠在 ASP.NET Web API 服務中利用輸入驗證弱點發起 Buffer overflow 攻擊。

若要防止此類攻擊:
1. 使用驗證屬性將針對參數或模型繫結物件參數之成員執行的驗證檢查,以程式化方式註解至 ASP.NET Web API 服務動作。
2. 使用 ModelState.IsValid 檢查模型是否通過驗證。
References
[1] Jon Galloway, Phil Haack, Brad Wilson, K. Scott Allen Professional ASP.NET MVC 4 Wrox Press
[2] Model Validation Microsoft ASP.NET Site
[3] Standards Mapping - Common Weakness Enumeration CWE ID 20
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.structural.dotnet.asp_dotnet_bad_practices_unvalidated_web_api_model

ASP.NET Bad Practices: Use of Impersonation Context

Abstract
模仿使用者憑證可讓攻擊者未經授權而存取受保護的資源。
Explanation
為了執行需特定權限的操作,Microsoft ASP.NET 應用程式能夠模擬目前使用者的安全環境或是模擬呼叫它們的程序。雖然模擬環境能夠提供多種用途 (例如減少必要 authentication 的數量),但是擁有高度權限的程式會為整個系統的安全帶來不必要的危險。如果攻擊者利用程式中的另一個弱點,而此程式正在另一個安全環境中執行,則攻擊者能夠執行所有未授權的操作,並擁有與之對應的權限。

範例 1:以下程式碼範例說明使用 WindowsIdentity.Impersonate() 方法模擬憑證的典型方式。


using System.Security.Principal;
...

//Get the identity of the current user
IIdentity contextId = HttpContext.Current.User.Identity;
WindowsIdentity userId = (WindowsIdentity)contextId;

//Temporarily impersonate
WindowsImpersonationContext imp = userId.Impersonate();

//Perform tasks using the caller's security context
DoSecuritySensitiveTasks();

//Clean up and restore our old security context
impersonate.Undo();
Example 1 中的程式碼模擬目前使用者的安全環境,並使用此安全環境執行一個需權限的操作。呼叫 DoSecuritySensitiveTasks() 之後,程式碼企圖還原原始的安全環境,但是如果 DoSecuritySensitiveTasks() 拋出一個異常狀況,將永遠不會呼叫 Undo() 方法,而程式也將持續使用模擬的安全環境。
References
[1] Kirk Evans Security Practices: ASP.NET 2.0 Security Practices at a Glance Microsoft Corporation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 520
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002038, CCI-002039, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, SC-11 Trusted Path
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.controlflow.dotnet.asp_dotnet_bad_practices_use_of_impersonation_context

ASP.NET Middleware Out of Order: Default Cookie Configuration

Abstract
應用程式錯誤指定了 ASP.NET Cookie 原則中介軟體。
Explanation
未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行,進而使應用程式可能面臨各種安全問題。

範例 1:UseCookiePolicy() 方法將 Cookie 原則中介軟體新增到中介軟體管道,進而允許自訂 Cookie 原則。當以錯誤的順序指定時,程式設計師聲明的任何 Cookie 原則將被忽略。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 MP, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

Abstract
應用程式錯誤指定了預設的 ASP.NET HTTPS 重新導向中介軟體。
Explanation
未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行,進而使應用程式可能面臨各種安全問題。

範例 1:UseHttpsRedirection() 方法將 HTTPS 重新導向中介軟體新增到中介軟體管道,進而允許將不安全的 HTTP 要求重新導向到安全的 HTTPS 要求。如果以錯誤的順序指定,則在透過重新導向之前列出的中介軟體處理要求之前,不會發生有意義的 HTTPS 重新導向。這將允許應用程式在重新導向到安全 HTTPS 連線之前處理 HTTP 要求。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[8] Standards Mapping - FIPS200 SC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[14] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication
[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications
[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

Abstract
應用程式錯誤指定了 ASP.NET Core 記錄中介軟體。
Explanation
未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行,進而使應用程式可能面臨各種安全問題。

範例 1:UseHttpLogging() 方法將 HTTP 記錄中介軟體新增到中介軟體管道,進而允許記錄中介軟體元件。當以錯誤的順序指定時,在呼叫 UseHttpLogging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...
範例 2:UseWC3Logging() 方法將 W3C 記錄中介軟體新增到中介軟體管道,進而允許記錄中介軟體元件。當以錯誤的順序指定時,在呼叫 UseWC3Logging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...
References
[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation
[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)
[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring
[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET Misconfiguration: Certificate Validation Disabled

Abstract
停用憑證驗證非常危險。
Explanation
將憑證驗證模式設為 None 會停用整個憑證驗證過程,這會使應用程式暴露於 Man-in-the-Middle 攻擊之下。生產環境中永遠不應使用此模式。
References
[1] Microsoft Corporation Working with Certificates
[2] Standards Mapping - Common Weakness Enumeration CWE ID 296
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000185, CCI-001941, CCI-001942
[10] Standards Mapping - FIPS200 CM
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-17 Public Key Infrastructure Certificates (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-17 Public Key Infrastructure Certificates
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[16] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[17] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3305 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3305 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3305 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3305 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3305 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3305 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3305 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration_certificate_validation_disabled

ASP.NET Misconfiguration: Cookie Protection Disabled

Abstract
未受保護的 cookie 內容可能會被攻擊者查看或修改。
Explanation
Cookie 常用來儲存使用者的重要資訊,比如個人資訊、Authentication 標記以及作業的歷史資訊。如果此資訊是以純文字方式儲存,那麼任何人只要能夠存取與應用程式互動的機器,都能夠存取儲存在 cookie 中的資訊。更糟糕的是,如果攻擊者可以隨意修改 cookie 中的資料,他們便能夠偽造提供給應用程式的資訊,有可能改變系統的運作方式以對他們有利。

在許多情況下,應用程式可以根據所在的環境來驗證由 cookie 提供的輸入,但 ASP.NET 的驗證框架提供了一個非常好的方法,可保護 cookie 的內容並驗證 cookie 未遭到非期望的修改。如不使用此方法,想要建立所有輸入都經過驗證的高層級信任是非常困難、甚至是不可能的。
References
[1] forms Element for authentication (ASP.NET Settings Schema) Microsoft Corporation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 565
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM, SC
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.dotnet.asp_dotnet_misconfiguration_cookie_protection_disabled

ASP.NET Misconfiguration: Debug Information

Abstract
除錯訊息可幫助攻擊者了解系統並計劃攻擊形式。
Explanation
可設定 ASP .NET 應用程式來產生除錯二進位程式。這些二進位程式提供了詳細的除錯訊息,不應該在生產的環境中使用。<compilation> 標籤的 debug 屬性定義編譯後的二進位程式是否應包含除錯資訊。

使用除錯二進位程式會使應用程式提供許多有關其本身的資訊給使用者。除錯二進位程式只能用於開發或測試的環境中,如果將它們部署在生產的環境中,會有安全上的風險。攻擊者可能利用這些從除錯輸出得到的額外資訊,來發動針對架構、資料庫或應用程式所使用的其他資源的攻擊。
References
[1] compilation Element (ASP.NET Settings Schema) Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 11
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II, APP3620 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II, APP3620 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II, APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II, APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II, APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II, APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II, APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.asp_dotnet_misconfiguration_debug_info

ASP.NET Misconfiguration: Event Validation Disabled

Abstract
停用 ASP.NET 事件驗證可能會允許攻擊者提交未經授權或惡意的回傳 (postback) 要求。
Explanation
事件驗證是一項 ASP.NET 安全功能,它會驗證回傳 (postback) 要求中的事件控制項,以確保這些控制項與初始頁面載入期間呈現的控制項相同。停用此功能後,攻擊者可能會透過竄改事件控制項進行 Cross-Site Request Forgery 攻擊,從而導致未經授權的存取、Cross-Site Scripting 攻擊等。

範例 1:以下 Web 應用程式組態停用了事件驗證。

...
<system.web>
    ...
    <pages enableEventValidation="false">
    ...
    </pages>
</system.web>
範例 2:以下伺服器頁面指令停用了事件驗證。

<%@ Page ... EnableEventValidation="false" %>
References
[1] Page.EnableEventValidation Property Microsoft
[2] Web Development Best Practices Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 113
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[6] Standards Mapping - FIPS200 CM
[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.1 - Web Software Attack Mitigation
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.dotnet.asp_dotnet_misconfiguration_event_validation_disabled

ASP.NET Misconfiguration: Excessive Session Timeout

Abstract
Authentication 逾時時間過長會讓攻擊者獲得較多的時間,而可能危及使用者帳戶。
Explanation
開啟工作階段時間愈久,攻擊者威脅使用者帳戶的機率就愈大。工作階段仍為作用中時,攻擊者可能會暴力破解使用者密碼、破解使用者的無線加密金鑰,或是從開啟的瀏覽器控制工作階段。如果足夠大量的工作階段正在執行,較長的 authentication 逾時時間也會導致無法釋放記憶體,最後造成阻斷服務。

範例 1:以下範例顯示設定了 1 小時 authentication 逾時時間的 ASP.NET MVC。

...
<configuration>
  <system.web>
  <authentication>
    <forms
      timeout="60" />
  </authentication>
  </system.web>
</configuration>
...


如果逾時時間屬性尚未指定,則預設的 authentication 逾時時間為 30 分鐘。
References
[1] MSDN ASP.NET Session State
[2] Standards Mapping - Common Weakness Enumeration CWE ID 613
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361, CCI-004190
[4] Standards Mapping - FIPS200 IA
[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, MA-4 Nonlocal Maintenance
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[10] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 8.2.8
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.config.dotnet.asp_dotnet_misconfiguration_excessive_session_timeout

ASP.NET Misconfiguration: Header Checking Disabled

Abstract
停用表頭檢查會替攻擊者製造執行表頭操作攻擊的機會。
Explanation
依照預設,.NET framework 會防止將新行字元傳送到設定 HTTP 表頭值的 API。不過,可透過將 HttpRuntimeSection 物件的 EnableHeaderChecking 特性設為 false,在程式上停用此行為。

範例 1:以下程式碼停用表頭檢查。

Configuration config = WebConfigurationManager.OpenWebConfiguration("/MyApp");
HttpRuntimeSection hrs = (HttpRuntimeSection) config.GetSection("system.web/httpRuntime");
hrs.EnableHeaderChecking = false;


停用此項檢查時,允許使用者輸入取得表頭設定 API 的程式碼將容易受到攻擊 (如 HTTP Response Splitting)。

References
[1] HttpRuntimeSection.EnableHeaderChecking Property Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 113
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[11] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.1 - Web Software Attack Mitigation
[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.semantic.dotnet.asp_dotnet_misconfiguration_header_checking_disabled