界: Security Features

軟體安全性並非安全性軟體。我們關注驗證、Access Control、保密性、加密以及權限管理之類的主題。

312 找到的項目

弱點

ASP.NET Misconfiguration: Logging Sensitive Information

C#/VB.NET/ASP.NET

Abstract

W3Clogger 中介軟體設定不當，會導致記錄敏感資訊。

Explanation

ASP.NET W3Clogger.loggingFields 可以設定為允許記錄敏感資料，例如私人資訊和系統資訊。
此資料可能包含與 HTTP 要求和 HTTP 回應相關的敏感資訊，例如用戶端/伺服器 IP、伺服器連接埠、標頭 cookie 和存取伺服器的經過驗證的使用者名稱。

萬一有資料外洩的情況，對手可以使用此資訊來：

- 竊取敏感資訊或冒充具有更高權限的使用者。
- 探索內部伺服器，獲得對受限資源的未授權存取。
- 設計攻擊並將重點放在利用針對所偵測伺服器報告的已知弱點

範例 1：以下程式碼顯示已停用驗證的控制項中的動作方法。


  builder.Services.AddW3CLogging(logging =>
    logging.LoggingFields = W3CLoggingFields.All;

    ... )

Example 1 顯示如何使用 All 旗標，將 W3Clogging 設定為記錄 Http 要求中的所有可能欄位，例如 ClientIpAddress、ServerName、ServerIpAddress、ServerPort、UserName 和 Cookie。

References

[1] Building Secure ASP.NET Pages and Controls Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 5

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[9] Standards Mapping - FIPS200 CM, SC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-8 Transmission Confidentiality and Integrity (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-8 Transmission Confidentiality and Integrity

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.1.3 Build (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[22] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[56] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.dotnet.asp_dotnet_misconfiguration_logging_sensitive_information

ASP.NET Misconfiguration: Persistent Authentication

C#/VB.NET/ASP.NET

Abstract

Persistent Authentication 許可證會讓使用者容易遭遇階段作業劫持攻擊。

Explanation

FormsAuthentication.RedirectFromLoginPage() 方法會發出 authentication 許可證，此許可證可讓使用者在特定的一段期間內維持驗證的身分。若將該方法的第二個參數設為 false，它會發出一個臨時的 authentication 許可證，其有效期在 web.config 中配置。若將第二個參數設為 true，此方法會發出 Persistent Authentication 許可證。在.NET 2.0 中，許可證的有效期為在 web.config 中配置的值，但在.NET 1.1 中，Persistent Authentication 許可證的有效期有個不可思議的預設值－ 50 年！

允許 Persistent Authentication 許可證長時期的存在，會讓使用者和系統容易遭遇以下幾種攻擊：

對那些沒有登出的使用者，Persistent Authentication 許可證延長了其暴露在階段作業劫持攻擊的時間。

Persistent Authentication 許可證增加了攻擊者猜中有效的階段作業識別碼的機率。

當攻擊者成功地劫持了使用者的階段作業後，這將使攻擊者有更多的時間來盜取資訊。

References

[1] Jeff Prosise The Keep Sites Running Smoothly By Avoiding These 10 Common ASP.NET Pitfalls MSDN Magazine

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 302

[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185, CCI-001941, CCI-001942

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity

[17] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[18] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[19] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[20] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[21] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[22] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.1 Service Authentication Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[25] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[26] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001530 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.dotnet.asp_dotnet_misconfiguration_persistent_authentication

ASP.NET Misconfiguration: Unsafe Header Parsing

C#/VB.NET/ASP.NET

Abstract

應用程式設定的屬性會導致 HTTP 剖析期間忽略驗證錯誤。

Explanation

將 useUnsafeHeaderParsing 設定為 true 會鬆懈 HTTP 表頭的處理過程。過度允許的 HTTP 表頭驗證規則會導致易受攻擊的應用程式遭受各種攻擊。

明確的說，當這個屬性設為 False 時，下列的驗證規則就不再強制執行：

行尾程式碼中，請使用 CRLF；不可單獨使用 CR 或 LF。

標頭名稱中不可有空白。

如果多重狀態行存在，所有額外的狀態行將被視為異常的標頭名稱/值對。

狀態行除了狀態碼之外，還必須有狀態描述。

標頭名稱內不可有非 ASCII 字元。不管屬性為 True 或 False，都會執行驗證。

如發生違反通訊協定事項，將拋出 WebException 例外狀況，其狀態會設為 ServerProtocolViolation。如果 UseUnsafeHeaderParsing 屬性設為 True，則會忽略驗證錯誤。

將屬性設定為 True 有其隱含的安全問題，因此除非伺服器必須具備回溯相容性，否則不應如此設定。

範例 1：在以下範例中，useUnsafeHeaderParsing 設定為 true。


...
<configuration>
   <system.net>
   <settings>
      <httpWebRequest  useUnsafeHeaderParsing="true" />
   </settings>
   </system.net>
</configuration>
...

References

[1] HttpWebRequestElement.UseUnsafeHeaderParsing Property Microsoft

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 113

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[19] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[20] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.1 - Web Software Attack Mitigation

[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.config.dotnet.asp_dotnet_misconfiguration_unsafe_header_parsing

ASP.NET Misconfiguration: ViewStateMac Disabled

C#/VB.NET/ASP.NET

Abstract

停用檢視狀態訊息 Authentication 檢查 (MAC) 可讓攻擊者能夠修改 View State。

Explanation

在 ASP.NET，檢視狀態是一種在回傳 (postback) 間持續網路表單狀態的機制。檢視狀態中儲存的資料不受信任，因為沒有防止重複進行攻擊的機制。當停用檢視狀態訊息 Authentication 檢查時，信任檢視狀態將更為危險。停用此項檢查，會讓攻擊者對檢視狀態中儲存的資料任意進行變更，並製造對信任檢視狀態的程式碼的攻擊機會。攻擊者可使用這種錯誤來破解 Authentication 檢查或修改項目定價。

References

[1] Understanding ASP.NET View State Microsoft

[2] Michal Zalewski ASP.NET __VIEWSTATE crypto validation prone to replay attacks

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[7] Standards Mapping - CIS Kubernetes Benchmark complete

[8] Standards Mapping - Common Weakness Enumeration CWE ID 353

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[16] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3)

[18] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[19] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 2.2.3

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 2.2.3

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 2.2.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 2.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 2.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 2.2.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 2.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults

[31] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

[32] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.config.dotnet.asp_dotnet_misconfiguration.viewstatemac_disabled

ASP.NET MVC Bad Practices: Controller Action Without AntiForgery Validation

C#/VB.NET/ASP.NET

Abstract

控制項動作可能會受益於防偽造驗證。

Explanation

ASP.NET MVC 在表單中新增防偽造權杖，並在控制項中對該防偽造權杖進行驗證，從而提供便利的方式來更好地保護應用程式抵禦跨網站偽造要求攻擊。此權杖在使用時，通常做為隱藏表單欄位包括在內，並在提交表單時進行驗證，如此可以提高要求來自您的應用程式 (而非偽造) 的可能性。

以下控制項程式碼不含針對跨網站偽造要求攻擊的內建防禦：


public ActionResult ActionName(Model model, string returnurl)
{
  // ... controller logic
}

References

[1] HtmlHelper.AntiForgeryToken Method

[2] ValidateAntiForgeryTokenAttribute Class

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark complete

[9] Standards Mapping - Common Weakness Enumeration CWE ID 352

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352

[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352

[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942

[16] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity

[19] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)

[20] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)

[21] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)

[24] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[25] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352

[37] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352

[38] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery

desc.structural.dotnet.aspnet_mvc_bad_practices_action_without_antiforgery_validation

ASP.NET MVC Bad Practices: Form Without AntiForgery Token

C#/VB.NET/ASP.NET

Abstract

Razor 檢視包含表單，但是並未隨該表單包含防偽造權杖，因此可能更容易受到跨網站偽造要求攻擊。

Explanation

ASP.NET MVC 在 HTML 表單中新增防偽造權杖，並在控制項中對該防偽造權杖進行驗證，從而提供便利的方式來更好地保護應用程式抵禦跨網站偽造要求攻擊。此權杖在使用時，通常做為隱藏表單欄位包括在內，並在提交表單時進行驗證，如此可以提高要求來自您的應用程式 (而非偽造) 的可能性。

一般而言，程式設計人員應將此防偽造權杖包括在內，因為這會提高針對應用程式使用惡意指令碼的代價。

範例 1：以下 Razor 程式碼會在產生的 HTML 中建立表單，但不含針對跨網站偽造要求攻擊的內建防禦：


@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl })) {
  // ... form elements
}

Example 2::The following Razor code creates a form in the resulting HTML without the built-in defense against cross-site request forgery. Note that parameter antiforgery is set to either false or null:


@using (Html.BeginForm("actionName", "controllerName", routeValues, FormMethod.Post, antiforgery: false, htmlAtts)) {
  // ... form elements
}

References

[1] HtmlHelper.AntiForgeryToken Method

[2] ValidateAntiForgeryTokenAttribute Class

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4