205 找到的項目

弱點

.NET Bad Practices: Leftover Debug Code

C#/VB.NET/ASP.NET

Abstract

除錯程式碼可能會在部署中產生非預期的負面影響。

Explanation

使用僅用於除錯用途的 API。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.dotnet.dotnet_bad_practices_leftover_debug_code

ADF Bad Practices: Default url-invoke-disallowed Setting

Java/JSP

Abstract

依賴隱含的預設 url-invoke-disallowed 設定會缺少清晰度，而且如果在預期外變更預設，可能會導致不必要的行為。

Explanation

依照預設，Fusion 應用程式中的工作流程無法直接從 GET 要求中存取：每次 URL 嘗試叫用工作流程時，就會收到一個 HTTP 403 狀態碼。但是，依賴隱含的設定總是會缺少清晰度，而且如果在下方變更預設設定，可能會導致不必要的行為。

範例 1：下列來自工作流程定義檔的片段顯示使用隱含預設 url-invoke-disallowed 設定所設定的工作流程範例。


...
    <task-flow-definition id="password">
        <default-activity>PasswordPrompt</default-activity>
        <view id="PasswordPrompt">
            <page>/PasswordPrompt.jsff</page>
        </view>
        <use-page-fragments/>
    </task-flow-definition>
...

References

[1] Oracle(R) Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework, 15.6.4.How to Call a Bounded Task Flow Using a URL

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[3] Standards Mapping - FIPS200 CM

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation

[6] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[7] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[9] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[28] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.java.adf_bad_practices_default_url_invoke_disallowed_setting

ADF Faces Bad Practices: unsecure Attribute

Java/JSP

Abstract

unsecure 屬性會指定一個屬性清單，其值可以在用戶端上設定。

Explanation

Oracle ADF Faces 元件的屬性值通常只能在伺服器上設定。但是，有許多元件允許開發人員定義可以在用戶端上設定的屬性清單。這些元件的 unsecure 屬性可以指定此類清單。

目前，唯一能夠在 unsecure 屬性內顯示的屬性是 disabled，而且它允許用戶端定義哪些元件為啟用，而哪些元件不啟用。讓用戶端控制應該在僅能在伺服器上設定的屬性值，絕對不是個好方法。

範例 1：以下程式碼示範了 inputText 元件，該元件會從使用者收集密碼資訊，並使用 unsecure 屬性。


...
    <af:inputText id="pwdBox"
                  label="#{resources.PWD}"
                  value=""#{userBean.password}
                  unsecure="disabled"
                  secret="true"
                  required="true"/>
...

References

[1] Oracle ADF Faces Tag Reference

[2] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[3] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

desc.structural.java.adf_faces_bad_practices_unsecure_attribute

Android Bad Practices: Encryption Secret Held in Static Field

Java/JSP

Abstract

應用程式在靜態類別欄位中保留加密金鑰，讓攻擊者能夠輕鬆復原。

Explanation

在靜態類別欄位中儲存加密金鑰讓可存取程序記憶體 (例如，取得 Root 權限的裝置) 或程序記憶體傾印 (例如，損毀傾印) 的實體能夠輕鬆復原。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 226

[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090, CCI-001199

[6] Standards Mapping - FIPS200 IA

[7] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-4 Information Flow Enforcement (P1), SC-4 Information in Shared Resources (P1), SC-28 Protection of Information at Rest (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-4 Information Flow Enforcement, SC-4 Information in Shared System Resources, SC-28 Protection of Information at Rest

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 8.3.6 Sensitive Private Data (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-2

[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage

[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage

[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage

[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure

[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure

[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 3.4, Requirement 6.5.8, Requirement 8.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 3.4, Requirement 6.5.3, Requirement 8.2.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 3.3.2, Requirement 3.3.3, Requirement 3.5.1, Requirement 6.2.4, Requirement 8.3.1

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.2 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.2 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3230.2 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3230.2 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3230.2 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3230.2 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3230.2 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3230.2 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3230.2 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002330 CAT II, APSC-DV-002380 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.java.android_bad_practices_encryption_secret_held_in_static_field

Android Bad Practices: Leftover Debug Code

Java/JSP

Abstract

除錯程式碼可能會影響效能或洩露敏感資料給攻擊者。

Explanation

開發作業一般會為了除錯或測試目而增加一些「後門」程式碼，這些程式碼不會隨應用程式一起提供或部署。當這類除錯程式碼意外地留在應用程式中時，會導致應用程式開放在未預期的互動模式。這些後門入口點很容易造成安全問題，因為在設計或者測試期間，並沒有將它們考慮在內，並且不會出現在應用程式設計中的操作環境中。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.2.2 Dependency (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)

[4] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-RESILIENCE-4

[5] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[6] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.structural.java.android_bad_practices_leftover_debug_code

Android Bad Practices: Use of File Scheme Cookies

Java/JSP

Abstract

應用程式允許針對 file:// 通訊協定使用 Cookie，這可能會造成不良的安全性影響。

Explanation

根據 RFC 2109，Cookie 嚴格意義上來說是 HTTP 機制。不應合理預期 Cookie 適用於除 HTTP 以外的通訊協定，包括 file://。目前尚不確定其行為，以及應套用哪些安全性劃分規則。例如，從網際網路下載到本機磁碟的 HTML 檔案是否應該與本機安裝的任何 HTML 程式碼共用相同的 Cookie？

References

[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[2] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

desc.semantic.java.android_bad_practices_use_of_file_scheme_cookies

ASP.NET Middleware Out of Order: Default Cookie Configuration

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了 ASP.NET Cookie 原則中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseCookiePolicy() 方法將 Cookie 原則中介軟體新增到中介軟體管道，進而允許自訂 Cookie 原則。當以錯誤的順序指定時，程式設計師聲明的任何 Cookie 原則將被忽略。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseCookiePolicy();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 1188, CWE ID 565

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002418, CCI-002420, CCI-002421, CCI-002422

[4] Standards Mapping - FIPS200 MP, SC

[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-6 Configuration Settings (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-6 Configuration Settings, SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.1 General Access Control Design (L1 L2 L3)

[9] Standards Mapping - OWASP Mobile 2014 M4 Unintended Data Leakage

[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design, Control Objective 2.3 - Secure Defaults, Control Objective C.4.1 - Web Software Communications

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[53] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_default_cookie_configuration

ASP.NET Middleware Out of Order: Insecure Transport

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了預設的 ASP.NET HTTPS 重新導向中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseHttpsRedirection() 方法將 HTTPS 重新導向中介軟體新增到中介軟體管道，進而允許將不安全的 HTTP 要求重新導向到安全的 HTTPS 要求。如果以錯誤的順序指定，則在透過重新導向之前列出的中介軟體處理要求之前，不會發生有意義的 HTTPS 重新導向。這將允許應用程式在重新導向到安全 HTTPS 連線之前處理 HTTP 要求。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpsRedirection();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 200, CWE ID 311, CWE ID 319

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200

[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[8] Standards Mapping - FIPS200 SC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-2 Application Partitioning (P1), SC-8 Transmission Confidentiality and Integrity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-2 Separation of System and User Functionality, SC-8 Transmission Confidentiality and Integrity

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[14] Standards Mapping - OWASP Mobile 2024 M5 Insecure Communication

[15] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[16] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.3 - Sensitive Data Retention, Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective B.2.5 - Terminal Software Design, Control Objective C.4.1 - Web Software Communications

[32] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002150 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insecure_transport

ASP.NET Middleware Out of Order: Insufficient Logging

C#/VB.NET/ASP.NET

Abstract

應用程式錯誤指定了 ASP.NET Core 記錄中介軟體。

Explanation

未依正確順序新增到中介軟體管道的 ASP.NET Core 中介軟體將無法依預期般執行，進而使應用程式可能面臨各種安全問題。

範例 1：UseHttpLogging() 方法將 HTTP 記錄中介軟體新增到中介軟體管道，進而允許記錄中介軟體元件。當以錯誤的順序指定時，在呼叫 UseHttpLogging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseHttpLogging();
...

範例 2：UseWC3Logging() 方法將 W3C 記錄中介軟體新增到中介軟體管道，進而允許記錄中介軟體元件。當以錯誤的順序指定時，在呼叫 UseWC3Logging() 之前將不會記錄新增到管道的任何中介軟體。


...
var builder = WebApplication.CreateBuilder(...);
var app = builder.Build(...);
app.UseStaticFiles();
app.UseRouting();
app.UseSession();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
    ...
}

app.UseWC3Logging();
...

References

[1] Rick Anderson, Steve Smith ASP.NET Core Middleware Microsoft

[2] Standards Mapping - Common Weakness Enumeration CWE ID 696, CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, AU-12 Audit Record Generation

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[10] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[13] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[49] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.controlflow.dotnet.asp_dotnet_middleware_out_of_order_insufficient_logging

ASP.NET MVC Bad Practices: Controller Action Not Restricted to POST

C#/VB.NET/ASP.NET

Abstract

控制器動作可能會因受限於只能接受以下 HTTP 動詞之一而受益：Post、Put、Patch 或 Delete。

Explanation

透過寫入、更新或刪除方式修改資料的 ASP.NET MVC 控制器動作可能會因受限於只能接受以下其中一個 HTTP 動詞而受益：Post、Put、Patch 或 Delete。這會增加 Cross-Site Request Forgery 的難度，因為不小心點選連結將不會導致動作執行。

以下控制項動作預設狀況下接受任何動詞，可能容易受到跨網站偽造要求攻擊：


public ActionResult UpdateWidget(Model model)
{
  // ... controller logic
}

References

[1] Don't use Delete Links because they create Security Holes

[2] Standards Mapping - Common Weakness Enumeration CWE ID 352

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [4] CWE ID 352

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)

[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)

[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352

[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352

[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)

[57] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery

desc.structural.dotnet.aspnet_mvc_bad_practices_action_not_post_only

ASP.NET MVC Bad Practices: Model With Optional and Required Properties

C#/VB.NET/ASP.NET

Abstract

模型類別擁有需要的屬性，也擁有不需要的屬性，因此可能受到過度公佈攻擊。

Explanation

若使用的模型類別既有需要的屬性 (以 [Required] 屬性標明)，也有選用的屬性 (未以 [Required] 屬性標明)，在攻擊者傳送的要求所含資料多於預期時，會發生問題。

ASP.NET MVC 框架嘗試將要求參數繫結至模型屬性。

若兼具多種需求，但未明確指出哪些參數將繫結至模型，此狀況可能表示有些模型屬性供內部使用，但是可由攻擊者控制。

以下程式碼定義了某種可能的模型類別，該類別既包含擁有 [Required] 的屬性，也包含沒有 [Required] 的屬性：


public class MyModel
{
    [Required]
    public String UserName { get; set; }

    [Required]
    public String Password { get; set; }

    public Boolean IsAdmin { get; set; }
}

若選用參數能變更應用程式的行為，則攻擊者就能透過在要求中傳送選用參數來實際變更該行為。

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] BindAttribute Class

[3] RequiredAttribute Class

[4] Standards Mapping - Common Weakness Enumeration CWE ID 345

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[8] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[10] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[12] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[13] Standards Mapping - OWASP Top 10 2010 A1 Injection

[14] Standards Mapping - OWASP Top 10 2013 A1 Injection

[15] Standards Mapping - OWASP Top 10 2017 A1 Injection

[16] Standards Mapping - OWASP Top 10 2021 A03 Injection

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[34] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_mixed_required_model

ASP.NET MVC Bad Practices: Model With Required Non-Nullable Property

C#/VB.NET/ASP.NET

Abstract

模型類別擁有所需的不可為 Null 的屬性，因此可能容易受到公佈不足攻擊。

Explanation

若使用的模型類別擁有所需的不可為 Null 的屬性 (以 [Required] 屬性標明)，在攻擊者傳送的要求所含資料少於預期時，會發生問題。

ASP.NET MVC 框架嘗試將要求參數繫結至模型屬性。

若模型包含所需的不可為 Null 的參數，而攻擊者並未在要求中傳送所需的該參數 (即攻擊者使用公佈不足攻擊)，則該屬性將具有符合 [Required] 驗證屬性需求的預設值 (通常為零)。這可能會產生非預期的應用程式行為。

以下程式碼定義了某種可能的模型類別，該類別包含所需的列舉 (不可為 Null)：


public enum ArgumentOptions
{
    OptionA = 1,
    OptionB = 2
}

public class Model
{
    [Required]
    public String Argument { get; set; }

    [Required]
    public ArgumentOptions Rounding { get; set; }
}

References

[1] Input Validation vs. Model Validation in ASP.NET MVC

[2] Standards Mapping - Common Weakness Enumeration CWE ID 345

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002422

[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[6] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[7] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)

[8] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[9] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[10] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws

[11] Standards Mapping - OWASP Top 10 2010 A1 Injection

[12] Standards Mapping - OWASP Top 10 2013 A1 Injection

[13] Standards Mapping - OWASP Top 10 2017 A1 Injection

[14] Standards Mapping - OWASP Top 10 2021 A03 Injection

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.6

[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002470 CAT II

[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002470 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002470 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002470 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002470 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002470 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002470 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002470 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002470 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002470 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002470 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002470 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002470 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002470 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002470 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002470 CAT II

[32] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.structural.dotnet.aspnet_mvc_bad_practices_required_non_nullable_in_model

ASP.NET MVC Bad Practices: Optional Submodel With Required Property

C#/VB.NET/ASP.NET

Abstract

模型類別擁有所需的屬性，該屬性的類型是父系模型類型的選用成員，因此可能容易受到公佈不足攻擊。

Explanation

若模型類別擁有所需的屬性，該屬性的類型是父系模型類型的選用成員，則在攻擊者傳送的要求所含資料少於預期時，可能容易受到公佈不足攻擊。

ASP.NET MVC 框架嘗試將要求參數繫結至模型屬性 (包括子模型)。

若子模型為選用項目 (即父系模型擁有的某個屬性沒有 [Required] 屬性)，則在攻擊者未傳送該子模型時，父系屬性的值將是 null，模型驗證將不會宣告子模型的所需欄位。這是公佈不足攻擊的一種形式。

請考慮以下模型類別定義：


public class ChildModel
{
    public ChildModel()
    {
    }

    [Required]
    public String RequiredProperty { get; set; }
}

public class ParentModel
{
    public ParentModel()
    {
    }

    public ChildModel Child { get; set; }
}

若攻擊者未傳送 ParentModel.Child 屬性的值，則 ChildModel.RequiredProperty 屬性將擁有未宣告的 [Required]。這可能會產生非預期且不適當的結果。