541 找到的項目

弱點

J2EE Bad Practices: Sockets

Java/JSP

Abstract

在 Web 應用程式中，通訊端式的通訊容易發生錯誤。

Explanation

只有在與較舊的系統進行通訊且無法使用更高等級的通訊協定時，J2EE 標準才會允許 Use of Sockets。自己編寫通訊協定將需要解決許多安全上的問題，其中包括：

- 輸入信號與輸出信號的比較

- 通訊協定版本間的相容性

- 通道安全性

- 錯誤處理

- 網路條件約束 (防火牆)

- 階段作業管理

除非經過安全專家的仔細檢查，否則自訂的通訊協定會面臨很多安全性問題。

在執行自訂的標準通訊協定時，也會遇到許多相同的問題。通常有很多可用資源都可以解決執行標準通訊協定時會遇到的安全性問題，但是，攻擊者也可取得這些資源。

References

[1] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems

[2] Standards Mapping - Common Weakness Enumeration CWE ID 246

[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

desc.semantic.java.j2ee_badpractices_sockets

J2EE Bad Practices: Threads

Java/JSP

Abstract

在某些情況下，會禁止在 Web 應用程式中進行執行緒管理，且執行緒管理非常容易發生錯誤。

Explanation

在某些情況下，J2EE 標準會禁止在 Web 應用程式中進行執行緒管理，且執行緒管理非常容易發生錯誤。管理執行緒非常困難，並且可能會以無法預測的方式干擾應用程式容器的運作。即使容器沒有受到干擾，執行緒管理通常還是會發生錯誤，例如無法偵測並診斷鎖死 (deadlock)、Race Condition 及其他同步錯誤。

References

[1] Java 2 Platform Enterprise Edition Specification, v1.4 Sun Microsystems

[2] Standards Mapping - Common Weakness Enumeration CWE ID 383

[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

desc.semantic.java.j2ee_badpractices_threads

J2EE Misconfiguration: Cookies Disabled

Java/JSP

Abstract

程式未使用 Cookie 來傳輸工作階段識別碼，這可能會替 Session Fixation 及 Session Hijacking 製造攻擊的機會。

Explanation

多數 Web 應用程式使用工作階段識別碼來識別各使用者，該識別碼通常儲存在 Cookie 中，並在伺服器與網路瀏覽器間公開傳輸。

未在 Cookie 中儲存工作階段識別碼的應用程式，有時會傳輸識別碼做為 HTTP 要求參數或 URL 的一部份。接受 URL 中指定的工作階段識別碼，容易讓攻擊者執行 Session Fixation 攻擊。

將工作階段識別碼置於 URL，也可能會增加 Session Hijacking 對應用程式成功攻擊的機會。當攻擊者控制受害者啟用的工作階段或工作階段識別碼時，Session Hijacking 便會發生。網路伺服器、應用程式伺服器及 Web 代理伺服器通常會儲存要求的 URL，這是種常見的作法。若 URL 中包含工作階段識別碼，也會記錄這些識別碼。增加工作階段識別碼檢視及儲存位置的數量，將增加攻擊者危及這些識別碼的機會。

References

[1] The Context Container Apache Software Foundation

[2] Session Fixation OpenText Fortify

[3] Standards Mapping - Common Weakness Enumeration CWE ID 384

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942

[5] Standards Mapping - FIPS200 IA

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.1 Session Binding Requirements (L1 L2 L3), 3.2.3 Session Binding Requirements (L1 L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002270 CAT II

desc.config.java.j2ee_misconfiguration_cookies_disabled

J2EE Misconfiguration: Debug Information

Java/JSP

Abstract

Tomcat 除錯層級 3 或更高層級可能會記錄敏感資料 (包括密碼)。

Explanation

如果您使用 Tomcat 來執行 authentication，Tomcat 部署描述符號檔案會指定「Realm」用於 Authentication。內容將與下列相似：

範例 1：


  <Realm className="org.apache.catalina.realm.JAASRealm"
         appName="SRN"
         userClassNames="com.srn.security.UserPrincipal"
         roleClassNames="com.srn.security.RolePrincipal"/>

此 Realm 標籤有一個名為 debug 的選擇性屬性，由它來指示記錄層級。數字越大，記錄的訊息就越詳細。如果除錯層級設定過高，Tomcat 會把所有的使用者名稱和密碼以純文字方式寫入至記錄檔中。Tomcat JAASRealm 相關的除錯訊息的臨界值是 3 (3 或更高表示有問題，2 或更低表示正常)，但此臨界值可能會因 Tomcat 提供不同的 realm 類型而有所不同。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 215

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[7] Standards Mapping - FIPS200 CM

[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_debug_information

J2EE Misconfiguration: Direct JSP Access

Java/JSP

Abstract

直接存取 Java Server Page 會導致 system information leak、原始碼洩漏，甚至執行任意程式碼。

Explanation

在使用 Web 架構，例如 Struts 或 Spring (使用動作或 Servlet 對 JSP 發出請求) 所建立的應用程式中，直接存取 Java Server Page (JSP)，可能會導致無法處理的異常以及系統資訊洩露。執行或設定不當的應用程式伺服器已被用來洩露原始碼詳細資料，使用的手段則包括 http://host/page.jsp%00 或 http://host/page.js%2570 等精心設計的要求。更糟的是，如果應用程式允許使用者上傳任意檔案，攻擊者可能使用此機制，上傳以 JSP 型式製作的惡意程式碼，並要求已上傳頁面，以在伺服器上執行惡意程式碼。

範例 1：以下範例說明建構不良的安全性限制，明確允許角色名稱中含有「*」直接存取 JSP，因此，這表示所有使用者都可以存取對應的 Web 資源。


<security-constraint>
    <web-resource-collection>
        <web-resource-name>JSP Access for Everyone!</web-resource-name>
        <description>Allow any user/role access to JSP</description>
        <url-pattern>*.jsp</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

References

[1] Jordan Dimov JSP Security

[2] Standards Mapping - Common Weakness Enumeration CWE ID 497

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.3 Unintended Security Disclosure Requirements (L1 L2 L3)

[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1, Requirement 6.5.5

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1, Requirement 6.5.5

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1, Requirement 6.5.5

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1, Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1, Requirement 6.5.5

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention, Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention, Control Objective 4.2 - Critical Asset Protection

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention, Control Objective 4.2 - Critical Asset Protection

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.j2ee_misconfiguration_direct_jsp_access

J2EE Misconfiguration: Duplicate Security Role

Java/JSP

Abstract

存在擁有相同名稱的多個安全性角色。相同的安全性角色通常表示沒有被除錯程式碼或拼字錯誤。

Explanation

相同的安全性角色並無意義，因為只會套用特定安全性角色的最後定義。
範例 1：在 web.xml 檔案中的項目定義了兩個 admin 角色。


<security-constraint>
    <web-resource-collection>
        <web-resource-name>AdminPage</web-resource-name>
        <description>Admin only pages</description>
        <url-pattern>/auth/noaccess/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Administrators only</description>
        <role-name>admin</role-name>
    </auth-constraint>
</security-constraint>
...
<security-role>
    <description>Administrator</description>
    <role-name>admin</role-name>
</security-role>

<security-role>
    <description>Non-Administrator</description>
    <role-name>admin</role-name>
</security-role>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 284

[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[5] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[6] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[7] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[9] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.j2ee_misconfiguration_duplicate_security_role

J2EE Misconfiguration: Duplicate Servlet Mapping

Java/JSP

Abstract

相同的 URL 模式存在有多個 Servlet 對應。相同的 Servlet 對應通常表示沒有被除錯的程式碼或拼字錯誤。

Explanation

相同的 Servlet 對應是沒有意義的，因為在多個 Servlet 對應中使用相同 URL 模式時，只會套用最後一個項目。

範例 1：在以下範例中，兩個不同的 Servlet 對應中使用 URL 模式 /servletA/*。


<servlet-mapping>
    <servlet-name>ServletA</servlet-name>
    <url-pattern>/servletA/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ServletB</servlet-name>
    <url-pattern>/servletA/*</url-pattern>
</servlet-mapping>

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 684

[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[6] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.j2ee_misconfiguration_duplicate_servlet_mapping

J2EE Misconfiguration: Excessive Servlet Mappings

Java/JSP

Abstract

多個 URL 模式對應至單一 Servlet，通常表示架構不良或是不夠標準化。

Explanation

多個 URL 模式對應至單一 Servlet，可能代表該 Servlet 執行了太多功能。

範例 1：以下範例將五個 URL 模式對應至單一 Servlet。


<servlet>
    <servlet-class>com.class.MyServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/myservlet</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/helloworld*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/servlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/mservlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 684

[3] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[4] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[5] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

desc.config.java.j2ee_misconfiguration_excessive_servlet_mappings

J2EE Misconfiguration: Excessive Session Timeout

Java/JSP

Abstract

工作階段逾時時間過長會讓攻擊者獲得較多的時間，就可能危及使用者帳戶。

Explanation

開啟工作階段時間愈久，攻擊者威脅使用者帳戶的機率就愈大。工作階段仍為作用中時，攻擊者可能會暴力破解使用者密碼、破解使用者的無線加密金鑰，或是從開啟的瀏覽器控制工作階段。如果足夠大量的工作階段正在執行，較長的工作階段逾時時間也會導致無法釋放記憶體，最後造成阻斷服務。

範例 1：如果工作階段逾時時間為零或小於零，該工作階段永遠不會過期。以下範例顯示工作階段逾時時間設定為 -1，就會無限期保留工作階段為作用中。


<session-config>
    <session-timeout>-1</session-timeout>
</session-config>

<session-timeout> 標籤定義 Web 應用程式中，所有工作階段的預設逾時時間間隔。如果沒有 <session-timeout> 標籤，就會交由容器來設定預設逾時時間。

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 613

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361, CCI-004190

[4] Standards Mapping - FIPS200 IA

[5] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, MA-4 Nonlocal Maintenance

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)

[10] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[11] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[16] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 8.2.8

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration

desc.config.java.j2ee_misconfiguration_excessive_session_timeout

J2EE Misconfiguration: Incomplete Error Handling

Java/JSP

Abstract

Web 應用程式必須定義預設的錯誤頁面，以避免攻擊者從應用程式容器的內建錯誤回應中挖掘資訊。

Explanation

當攻擊者瀏覽網站尋找弱點時，網站所提供的資訊數量是任何攻擊的成敗關鍵。如果應用程式向攻擊者顯示堆疊追蹤的資訊，其所釋出的資訊使攻擊者的攻擊變得輕而易舉。例如，堆疊追蹤可能顯示下列資訊給攻擊者：SQL 查詢語句、使用的程式庫類型、應用程式容器的版本。攻擊者可以從這些資訊中找到這些元件的弱點。

因此，應用程式組態應指定預設錯誤頁面以確保應用程式不會向攻擊者洩漏錯誤訊息。處理標準 HTTP 錯誤程式碼是簡單、有用、安全的作法，完善的組態還會定義用於補救的錯誤處理器，來捕捉應用程式可能會拋出的所有異常。

References

[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley

[2] Standards Mapping - Common Weakness Enumeration CWE ID 7

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272

[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-23 Data Mining Protection (P0), SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-23 Data Mining Protection, SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[10] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling

[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000450 CAT II, APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[52] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_incomplete_error_handling

J2EE Misconfiguration: Insecure Transport

Java/JSP

Abstract

設定應用程式時，應該要確定所有存取控制的頁面是使用 SSL。

Explanation

如果應用程式使用 SSL 來確保與用戶端瀏覽器之間的機密通訊，那麼應用程式組態應該規定如未使用 SSL，就無法查看任何存取控制的頁面。

通常有以下三種方式可略過 SSL：

- 使用者手動輸入 URL，且輸入「HTTP」而不是「HTTPS」。

- 攻擊者有意的將使用者傳送到不安全的 URL。

- 程式設計師在應用程式中錯誤的建立了相關頁面的連結，使其未能從 HTTP 轉換成 HTTPS。(這種情況很容易發生，尤其在網站中的公用和安全區域之間的連結移動。)

References

[1] A. Taylor et al. J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) Osborne/McGraw-Hill

[2] Standards Mapping - Common Weakness Enumeration CWE ID 5

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[4] Standards Mapping - FIPS200 CM, SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[13] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_insecure_transport

J2EE Misconfiguration: Insufficient Session ID Length

Java/JSP

Abstract

工作階段識別碼的長度至少要有 128 位元，以避免暴力破解攻擊。

Explanation

WebLogic 部署描述符號至少應該指定長度 24 位元組的工作階段識別碼。長度較短的工作階段識別碼會使應用程式暴露於暴力破解的攻擊下。如果攻擊者可以猜測出驗證使用者的工作階段識別碼，他就能夠控制使用者的工作階段。以下的解釋將詳細說明 24 位元組工作階段識別碼的合理性。

階段作業識別碼是由 62 個英數字元所組成的虛擬隨機亂數，這表示，如果字串真的是隨機組成的，則每個位元組最高能產生 6 位元的複雜度。

以下方程式提供猜測有效的工作階段識別碼所需的秒數：

(2^B+1) / (2*A*S)

其中：

- B 是工作階段識別碼中複雜度 (entropy) 的位元數。

- A 表示攻擊者每秒可能嘗試猜測的次數。

- S 是指在任何時間內可供猜測的有效工作階段識別碼數目。

工作階段識別碼中的複雜度 (entropy) 位元數比工作階段識別碼的總位元數要少。例如，如果以遞增的次序提供工作階段識別碼，則不管識別碼的長度如何，在工作階段識別碼中會有接近於 0 位元的複雜度 (entropy)。假設工作階段識別碼是使用好的隨機數字來源所產生，我們估算工作階段識別碼中複雜度 (entropy) 的位元數將是總工作階段識別碼位元數的一半。以樂觀態度來看，有可能存在此長度的識別碼。

如果攻擊者使用成千上百個受感染的電腦組成的僵屍電腦網路 (botnet)，那麼他們可進行每秒幾萬次的猜測。如果此問題網站很大而且很多人點閱，有時可能會忽略其大量的猜測行為。

可供猜測的有效工作階段識別碼數量的較低界線為，在任何時間內於網站上活動的使用者數量。不過，任何沒有登出就離開工作階段的使用者將會使此數目增加。(這就是為什麼要將未活動工作階段逾時時間設短一點的原因之一。)

使用 64 位元的工作階段識別碼，假設會有 32 位元的複雜度。對於大型網站，假設攻擊者每秒可能嘗試猜測 1000 次，並且在任何給定時間有 10000 個有效的工作階段識別碼。根據這些假設，攻擊者成功猜到有效的工作階段識別碼的預估時間大約在 4 分鐘以內。

現在假設使用 128 位元的工作階段識別碼，提供 64 位元的複雜度。對於超大型網站，攻擊者在 100000 個可猜測的有效工作階段識別碼中可以嘗試每秒 10000 次的猜測。根據這些假設，攻擊者成功猜到有效的工作階段識別碼的預估時間將超過 292 年。

將位元換成位元組，則工作階段識別碼為 128/6，大約產生 21 個位元組。此外，實驗顯示，工作階段識別碼的前三個位元組不是隨機產生的，這表示要達到想要的 64 位元的複雜度 (entropy)，我們需要將 WebLogic 設定為使用長度為 24 位元組的工作階段識別碼。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 6

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001941, CCI-001942

[3] Standards Mapping - FIPS200 IA

[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002290 CAT II

[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.java.j2ee_misconfiguration_insufficient_session_id_length

J2EE Misconfiguration: Invalid Servlet Name

Java/JSP

Abstract

無效的 Servlet 名稱可能會造成無法合法存取預定的 Servlet。

Explanation

web.xml 中，沒有 Servlet 名稱或是有相同的 Servlet 名稱，視為錯誤。每個 Servlet 應該擁有專屬名稱 (servlet-name ) 以及相符的對應 (servlet-mapping)。

範例 1：以下 web.xml 中的項目顯示了數個錯誤 Servlet 定義。


<!-- No <servlet-name> specified: -->
    <servlet>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

<!-- Empty <servlet-name> node: -->
    <servlet>
        <servlet-name/>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

<!-- Duplicate <servlet-name> nodes: -->
    <servlet>
        <servlet-name>MyServlet</servlet-name>
        <servlet-name>Servlet</servlet-name>
        <servlet-class>com.class.MyServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>

這些錯誤可能會造成意外拒絕存取 Servlet。

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Standards Mapping - Common Weakness Enumeration CWE ID 684

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[6] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[7] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[13] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[36] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[37] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_invalid_servlet_name

J2EE Misconfiguration: Missing Authentication Method

Java/JSP

Abstract

如果沒有登入組態，安全性與授權限制就會失敗。

Explanation

使用 <login-config> 元素來設定使用者驗證至應用程式的方式。因為沒有人可以登入，沒有 authentication 方式就表示該應用程式不知道套用授權限制的方式。Authentication 方式是使用 <auth-method> 標籤進行指定，該標籤也是 <login-config> 的子項。

Authentication 方式共有四種：BASIC、FORM、DIGEST 和 CLIENT_CERT。

BASIC 代表 HTTP Basic 驗證。
FORM 代表表單架構驗證。
DIGEST 與 BASIC 驗證類似，但在 DIGEST 中，會將密碼加密。
CLIENT_CERT 要求用戶端擁有公開金鑰憑證並使用 SSL/TLS。

範例 1：以下組態並未指定登入組態。


<web-app>

    <!-- servlet declarations -->
    <servlet>...</servlet>

    <!-- servlet mappings-->
    <servlet-mapping>...</servlet-mapping>

    <!-- security-constraints-->
    <security-constraint>...</security-constraint>

    <!-- login-config goes here -->

    <!-- security-roles -->
    <security-role>...</security-role>

</web-app>

References

[1] Sun Microsystems, Inc. Java Servlet Specification 2.4

[2] Sun Microsystems, Inc. Specifying an Authentication Mechanism

[3] Standards Mapping - Common Weakness Enumeration CWE ID 284

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000778, CCI-001094, CCI-001958, CCI-001967

[5] Standards Mapping - FIPS200 IA

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), SC-5 Denial of Service Protection (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, SC-5 Denial of Service Protection

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[16] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001640 CAT II, APSC-DV-001650 CAT II, APSC-DV-001660 CAT II, APSC-DV-002400 CAT II

[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.config.java.j2ee_misconfiguration_missing_authentication_method

J2EE Misconfiguration: Missing Data Transport Constraint

Java/JSP

Abstract

未指定使用者資料限制的安全性限制無法保證在傳輸層，保護受限資源。

Explanation

web.xml 安全性限制通常用來做為角色為基礎的 Access Control 使用，但是選用的 user-data-constraint 元素會指定傳輸保證，避免以不安全的方式傳輸內容。

在 <user-data-constraint> 標籤內，<transport-guarantee> 標籤會定義應該如何處理通訊。傳輸保證共有三個層級：

1) NONE 表示應用程式不需要任何傳輸保證。
2) INTEGRAL 表示應用程式需要用戶端和伺服器之間使用此方法傳送資料，如此一來在傳輸資料時就不會變更。
3) CONFIDENTIAL 表示應用程式會要求要以避免其他實體可檢視傳輸內容的方式來傳送資料。

在大部分情況中，使用 INTEGRAL 或 CONFIDENTIAL 就表示必須使用 SSL/TLS。如果省略了 <user-data-constraint> 和 <transport-guarantee> 標籤，傳輸保證會預設為 NONE。

範例 1：以下安全性限制不會指定傳輸保證。


<security-constraint>
    <web-resource-collection>
        <web-resource-name>Storefront</web-resource-name>
        <description>Allow Customers and Employees access to online store front</description>
        <url-pattern>/store/shop/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description>Anyone</description>
        <role-name>anyone</role-name>
    </auth-constraint>
</security-constraint>

References

[1] Sun Microsystems, Inc. Java EE 5 Tutorial: Establishing a Secure Connection Using SSL

[2] Sun Microsystems, Inc. Java Servlet Specification Version 2.3

[3] Standards Mapping - Common Weakness Enumeration CWE ID 5

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[5] Standards Mapping - FIPS200 CM, SC

[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[54] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.config.java.j2ee_misconfiguration_missing_data_transport_constraint

J2EE Misconfiguration: Missing Error Handling

Java/JSP