295 找到的項目
弱點

AWS CloudFormation Misconfiguration: Improper RDS Network Access Control

Abstract
範本定義一個存取權限制不足的 DBSecurityGroup。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。


"DbSecurity": {
  "Type": "AWS::RDS::DBSecurityGroup",
  "Properties": {
      "GroupDescription": "Ingress for Amazon RDS security group",
      "DBSecurityGroupIngress": {
          "CIDRIP": "0.0.0.0/0"
      }
  }
}
References
[1] Amazon Web Services AWS Documentation: AWS::RDS::DBSecurityGroupIngress
[2] Jesse Lepich and Michael Ingoldby AWS Security Blog: How to continuously audit and limit security groups with AWS Firewall Manager
[3] Jeffrey Lyon AWS Security Blog: How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
[4] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 5.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 284
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002038, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SC-11 Trusted Path
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.json.aws_cloudformation_misconfiguration_improper_rds_network_access_control.base
Abstract
範本定義一個存取權限制不足的 DBSecurityGroup。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。


DbSecurity:
  Type: 'AWS::RDS::DBSecurityGroup'
  Properties:
    GroupDescription: Ingress for Amazon RDS security group
    DBSecurityGroupIngress:
      CIDRIP: 0.0.0.0/0
References
[1] Amazon Web Services AWS Documentation: AWS::RDS::DBSecurityGroupIngress
[2] Jesse Lepich and Michael Ingoldby AWS Security Blog: How to continuously audit and limit security groups with AWS Firewall Manager
[3] Jeffrey Lyon AWS Security Blog: How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
[4] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 5.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 284
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002038, CCI-002165
[8] Standards Mapping - FIPS200 AC
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SC-11 Trusted Path
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_cloudformation_misconfiguration_improper_rds_network_access_control.base

AWS CloudFormation Misconfiguration: Improper Redshift Network Access Control

Abstract
範本明確啟用對 Amazon Redshift 叢集的公開存取。
Explanation
依預設,Amazon Redshift 叢集是不公開存取的。

啟用對叢集的公開存取會造成組織受攻擊面更大。

範例 1:以下範例範本明確啟用對 Amazon Redshift 叢集的公開存取。

"Resources": {
    "RDCluster": {
      "Type": "AWS::Redshift::Cluster",
      "Properties": {
        "NodeType": "ds2.xlarge",
        "ClusterType": "single-node",
        "DBName": "rdb",
        "PubliclyAccessible": true,
        "MasterUsername": "rduser",
        "MasterUserPassword": {
          "Ref": "MasterUserPassword"
        }
      }
    }
}
References
[1] Amazon Web Services Managing clusters in a VPC
[2] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.json.aws_cloudformation_misconfiguration_improper_redshift_network_access_control.base
Abstract
範本明確啟用對 Amazon Redshift 叢集的公開存取。
Explanation
依預設,Amazon Redshift 叢集是不公開存取的。

啟用對叢集的公開存取會造成組織受攻擊面更大。

範例 1:以下範例範本明確啟用對 Amazon Redshift 叢集的公開存取。

Resources:
  RDCLuster:
    Type: "AWS::Redshift::Cluster"
    Properties:
      PubliclyAccessible: true
      DBName: "rdb"
      MasterUsername: "rduser"
      MasterUserPassword:
        Ref: "MasterUserPassword"
      NodeType: "ds2.xlarge"
      ClusterType: "single-node"
References
[1] Amazon Web Services Managing clusters in a VPC
[2] Amazon Web Services AWS Documentation: AWS::Redshift::Cluster
[3] Standards Mapping - Common Weakness Enumeration CWE ID 284
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 AC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.1.3 Build (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[13] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[14] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.10, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[30] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)
[54] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.structural.yaml.aws_cloudformation_misconfiguration_improper_redshift_network_access_control.base

AWS CloudFormation Misconfiguration: Improper SageMaker Network Access Control

Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base
Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base

AWS CloudFormation Misconfiguration: Improper Serverless Network Access Control

Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base
Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base

AWS CloudFormation Misconfiguration: Improper Transfer Network Access Control

Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base
Abstract
組態定義一個存取權限過寬的網路規則。
Explanation
寬鬆的存取組態會將系統暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。
References
[1] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[2] Standards Mapping - Common Weakness Enumeration CWE ID 749
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[11] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[12] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[13] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[14] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[15] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[16] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[30] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[31] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.misconfiguration_improper_network_access_control.base

Azure ARM Misconfiguration: Improper Storage Network Access Control

Abstract
範本定義一個網路存取權不當的 Azure 儲存體帳戶。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.8
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.azure.improper_storage_network_access_control.base
Abstract
範本定義一個網路存取權不當的 Azure 儲存體帳戶。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 3.8
[2] Standards Mapping - Common Weakness Enumeration CWE ID 284
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), SC-3 Security Function Isolation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, SC-3 Security Function Isolation
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.2 Access Control Architectural Requirements (L2 L3), 1.4.4 Access Control Architectural Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[14] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[15] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.2
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.iac.azure.improper_storage_network_access_control.base

Cookie Security: Persistent Session Cookie

Abstract
持續性階段作業 Cookie 可能會造成帳戶洩漏。
Explanation
持續性工作階段 Cookie 即使在使用者關閉瀏覽器後仍然有效,並通常用作「記住我」功能的一部分。因此,假設使用者並未明確登出,則即使關閉瀏覽器後,持續性工作階段 Cookie 仍可讓使用者維持對應用程式的驗證狀態。這表示下一個開啟瀏覽器的人將自動登入為上一名使用者。除非您的應用程式部署於使用者無法從共用機器登入的控制環境,否則即使攻擊者關閉了瀏覽器,仍可能洩漏您的使用者帳戶。

範例 1:以下程式碼會將階段作業 Cookie 設定為持續性。

server.servlet.session.cookie.persistent=true
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 539
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185, CCI-001941, CCI-001942, CCI-002361
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.3 Session Binding Requirements (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.7, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3, Requirement 6.5.10
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3, Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3, Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.cookie_security_persistent_session_cookie
Abstract
持續性階段作業 cookie 可能會造成帳戶洩漏。
Explanation
持續性工作階段 Cookie 即使在使用者關閉瀏覽器後仍然有效,並通常用作「記住我」功能的一部分。因此,假設使用者並未明確登出,則即使關閉瀏覽器後,持續性工作階段 Cookie 仍可讓使用者維持對應用程式的驗證狀態。這表示下一個開啟瀏覽器的人將自動登入為上一名使用者。除非您的應用程式部署於使用者無法從共用機器登入的控制環境,否則即使攻擊者關閉了瀏覽器,仍可能洩漏您的使用者帳戶。
範例 1:下列程式碼將工作階段 Cookie 設為 10 年後過期。

session_set_cookie_params(time()+60*60*24*365*10, "/", "www.example.com", false, true);
References
[1] session_set_cookie_params The PHP Group
[2] Standards Mapping - Common Weakness Enumeration CWE ID 539
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001185, CCI-001941, CCI-001942, CCI-002361
[7] Standards Mapping - FIPS200 MP
[8] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.2.3 Session Binding Requirements (L1 L2 L3), 8.3.4 Sensitive Private Data (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[16] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[18] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[20] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.7, Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3, Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3, Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3, Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000060 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002240 CAT I
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.php.cookie_security_persistent_session_cookie

Weak Encryption: Inadequate RSA Padding

Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰執行加密,但不使用填補架構:

  static public byte[] EncryptWithRSA(byte[] plaintext, RSAParameters key) {
    try {
      RSACryptoServiceProvider rsa = new RSACryptoServiceProvider();
      rsa.ImportParameters(key);
      return rsa.Encrypt(plaintext, false);
    }
    catch(CryptographicException e) {
      Console.WriteLine(e.Message);
      return null;
    }
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.dotnet.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

  void encrypt_with_rsa(BIGNUM *out, BIGNUM *in, RSA *key) {
    u_char *inbuf, *outbuf;
    int ilen;
    ...
    ilen = BN_num_bytes(in);
    inbuf = xmalloc(ilen);
    BN_bn2bin(in, inbuf);
    if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key, RSA_NO_PADDING)) <= 0) {
      fatal("encrypt_with_rsa() failed");
    }
    ...
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.cpp.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼採用使用了 PKCS#1 v1.5 填補架構的 RSA 公開金鑰執行加密:

...
import "crypto/rsa"
...
plaintext := []byte("Attack at dawn")
cipherText, err := rsa.EncryptPKCS1v15(rand.Reader, &k.PublicKey, plaintext)
...
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.golang.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

  public Cipher getRSACipher() {
    Cipher rsa = null;
    try {
      rsa = javax.crypto.Cipher.getInstance("RSA/NONE/NoPadding");
    }
    catch (java.security.NoSuchAlgorithmException e) {
      log("this should never happen", e);
    }
    catch (javax.crypto.NoSuchPaddingException e) {
      log("this should never happen", e);
    }
    return rsa;
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.semantic.java.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

+ (NSData *) encryptData:(NSData *) plaintextData withKey:(SecKeyRef *) publicKey {
    CFErrorRef error = nil;
    
    NSData *ciphertextData = (NSData*) CFBridgingRelease(
        SecKeyCreateEncryptedData(*publicKey,
                                  kSecKeyAlgorithmRSAEncryptionPKCS1,
                                  (__bridge CFDataRef) plaintextData,
                                  &error));
    
    if (error) {
        // handle error ...
    }
    
    return ciphertextData;
}
References
[1] Wikipedia
[2] PKCS #1 v2.1: RSA Cryptography Standard
[3] Standards Mapping - Common Weakness Enumeration CWE ID 780
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.objc.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

  function encrypt($input, $key) {
    $output='';
    openssl_public_encrypt($input, $output, $key, OPENSSL_NO_PADDING);
    return $output;
  }
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.php.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

...
from Crypto.PublicKey import RSA

message = 'Attack at dawn'
key = RSA.importKey(open('pubkey.der').read())
ciphertext = key.encrypt(message)
...
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.python.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

require 'openssl'
...
key = OpenSSL::PKey::RSA.new 2048
public_encrypted = key.public_encrypt(data) #padding type not specified
...


Example 1 中,OpenSSL::PKey::RSA#public_encrypt 只使用字串進行呼叫,並未指定要使用的填補類型。填補預設為 OpenSSL::PKey::RSA::PKCS1_PADDING
References
[1] Wikipedia
[2] OPENSSL Documentation
[3] PKCS #1 v2.1: RSA Cryptography Standard
[4] Standards Mapping - Common Weakness Enumeration CWE ID 780
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[6] Standards Mapping - FIPS200 MP
[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[12] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[14] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[15] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[17] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[19] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.structural.ruby.weak_encryption_inadequate_rsa_padding
Abstract
在不使用 OAEP 填補的情況下執行公開金鑰 RSA 加密,會使加密的安全性變弱。
Explanation
進行實務操作時,使用 RSA 公開金鑰進行加密通常會結合填補架構。填補架構可以防止針對執行加密時未使用填補才有效的 RSA 所進行的攻擊。

範例 1:以下程式碼使用 RSA 公開金鑰進行加密,但不使用填補架構:

func encrypt(data plaintextData:Data, publicKey:SecKey) throws -> Data {
    var error: Unmanaged<CFError>?
    guard let ciphertextData = SecKeyCreateEncryptedData(publicKey,
                                                         .rsaEncryptionPKCS1,
                                                         plaintextData as CFData,
                                                         &error) else {
        throw error!.takeRetainedValue() as Error
    }
    return ciphertextData as Data;
}
References
[1] Wikipedia
[2] PKCS #1 v2.1: RSA Cryptography Standard
[3] Standards Mapping - Common Weakness Enumeration CWE ID 780
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002450
[5] Standards Mapping - FIPS200 MP
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), SC-13 Cryptographic Protection (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, SC-13 Cryptographic Protection
[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.9.3 Cryptographic Software and Devices Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 6.2.2 Algorithms (L2 L3), 8.3.7 Sensitive Private Data (L2 L3), 9.1.2 Communications Security Requirements (L1 L2 L3), 9.1.3 Communications Security Requirements (L1 L2 L3)
[10] Standards Mapping - OWASP Mobile 2014 M6 Broken Cryptography
[11] Standards Mapping - OWASP Mobile 2024 M10 Insufficient Cryptography
[12] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CRYPTO-1
[13] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[14] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[15] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[16] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[17] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.3
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.3
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.3
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.3
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective 7.4 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design
[31] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3150.1 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3150.1 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3150.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3150.1 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3150.1 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3150.1 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3150.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-002010 CAT II, APSC-DV-002040 CAT II
desc.dataflow.swift.weak_encryption_inadequate_rsa_padding

Path Manipulation

Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的檔案。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。


...
*Get the report that is to be deleted
r_name = request->get_form_field( 'report_name' ).
CONCATENATE `C:\\users\\reports\\` r_name INTO dsn.
DELETE DATASET dsn.
...


如果攻擊者提供諸如「..\\..\\usr\\sap\\DVEBMGS00\\exe\\disp+work.exe」的檔案名稱,應用程式將刪除關鍵檔案並立即使 SAP 系統當機。

範例 2:下列程式碼用於顯示使用者提供的任何日期之發票詳細資料。


...
PARAMETERS: p_date TYPE string.

*Get the invoice file for the date provided
CALL FUNCTION 'FILE_GET_NAME'
  EXPORTING
    logical_filename        = 'INVOICE'
    parameter_1             = p_date
  IMPORTING
    file_name               = v_file
  EXCEPTIONS
    file_not_found          = 1
    OTHERS                  = 2.
IF sy-subrc <> 0.
* Implement suitable error handling here
ENDIF.

OPEN DATASET v_file FOR INPUT IN TEXT MODE.

DO.
  READ DATASET v_file INTO v_record.
  IF SY-SUBRC NE 0.
    EXIT.
  ELSE.
    WRITE: / v_record.
  ENDIF.
ENDDO.
...


如果攻擊者提供諸如「..\\..\\usr\\sap\\sys\\profile\\default.pfl」的字串而非有效日期,應用程式將顯示所有預設的 SAP 應用程式伺服器設定檔參數設定 - 可能會導致更精確的攻擊。
References
[1] SAP OSS Notes 1497003, 1543851, 177702 and related ones.
[2] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.abap.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
var rName:String = String(params["reportName"]);
var rFile:File = new File("/usr/local/apfr/reports/" + rName);
...
rFile.deleteFile();
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並寫入「除錯」主控台或記錄檔。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


var fs:FileStream = new FileStream();
fs.open(new File(String(configStream.readObject())+".txt"), FileMode.READ);
fs.readBytes(arr);
trace(arr);
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.actionscript.path_manipulation
Abstract
允許使用者輸入來控制檔案系統作業中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2.攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

範例 1:以下 Visualforce 動作方法使用使用者的輸入來存取靜態資源。


public class MyController {
    ...
    public PageRerference loadRes() {
        PageReference ref = ApexPages.currentPage();
        Map<String,String> params = ref.getParameters();
        if (params.containsKey('resName')) {
            if (params.containsKey('resPath')) {
                return PageReference.forResource(params.get('resName'), params.get('resPath'));
            }
        }
        return null;
    }
}


程式設計師沒有考慮到,攻擊者可能操縱資源名稱和路徑來存取不打算公開給大眾的資源。
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.apex.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「..\\..\\Windows\\System32\\krnl386.exe」的可能性,這會導致應用程式刪除重要的 Windows 系統檔案。


String rName = Request.Item("reportName");
...
File.delete("C:\\users\\reports\\" + rName);
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為「.txt」的任意檔案。


sr = new StreamReader(resmngr.GetString("sub")+".txt");
while ((line = sr.ReadLine()) != null) {
Console.WriteLine(line);
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dotnet.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用來自 CGI 要求的輸入來建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../apache/conf/httpd.conf」的可能性,這會導致應用程式刪除特定組態設定檔案。


char* rName = getenv("reportName");
...
unlink(rName);
範例 2:以下程式碼使用來自指令行的輸入,來決定要開啟哪個檔案並回傳給使用者。如果程式需要適當權限才能執行,且惡意使用者能夠建立檔案的軟連結,他們就可以使用程式來讀取系統中任何檔案的開始部分。


ifstream ifs(argv[0]);
string s;
ifs >> s;
cout << s;
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cpp.path_manipulation
Abstract
允許使用者輸入來控制用在檔案操作的檔案資源名稱,可讓攻擊者存取或修改非應用程式指定的資料集。
Explanation
當發生以下兩種情況的時候,會在 CICS 中產生 path manipulation 錯誤:

1.攻擊者可以指定 CICS 檔案操作中使用的檔案資源 (FCT) 名稱。

2. 透過指定資源,攻擊者可以獲得未經授權的存取。

例如,該程式可能使攻擊者能夠讀取或寫入針對應用程式通常無法存取的 CICS 區域所設定的資料。
範例 1:以下程式碼使用 HTML 表單中的輸入進行更新,或可能刪除來自檔案的記錄。


...
EXEC CICS
  WEB READ
  FORMFIELD(FILE)
  VALUE(FILENAME)
  ...
END-EXEC.

EXEC CICS
  READ
  FILE(FILENAME)
  INTO(RECORD)
  RIDFLD(ACCTNO)
  UPDATE
  ...
END-EXEC.
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cobol.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用網路表單的輸入來建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「..\\..\\Windows\\System32\\krnl386.exe」的可能性,這會導致應用程式刪除重要的 Windows 系統檔案。 


<cffile action = "delete"
       file = "C:\\users\\reports\\#Form.reportName#">
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.cfml.path_manipulation
Abstract
允許使用者輸入來控制用於檔案系統作業的路徑,可讓攻擊者任意覆寫系統上的檔案。
Explanation
範例 1:以下範例以不安全的方式刪除檔案。


  final server = await HttpServer.bind('localhost', 18081);
  server.listen((request) async {
    final headers = request.headers;
    final path = headers.value('path');
    File(path!).delete();
  }


Example 1 中,未先驗證 headers.value('path') 即對檔案執行刪除功能。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[19] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[21] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[22] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[23] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[24] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[26] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[40] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[41] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[66] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.dart.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2.攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


    rName := "/usr/local/apfr/reports/" + req.FormValue("fName")

    rFile, err := os.OpenFile(rName, os.O_RDWR|os.O_CREATE, 0755)

    defer os.Remove(rName);
    defer rFile.Close()
    ...
範例 2:以下程式碼使用來自組態設定檔案的輸入,來決定開啟哪個檔案並返回給使用者。如果程式以足夠的權限執行,而且惡意使用者可以變更組態設定檔案,則他們可以使用程式讀取系統上以副檔名 .txt 結尾的任何檔案。


    ...
    config := ReadConfigFile()

    filename := config.fName + ".txt";
    data, err := ioutil.ReadFile(filename)

    ...

    fmt.Println(string(data))
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.golang.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


String rName = request.getParameter("reportName");
File rFile = new File("/usr/local/apfr/reports/" + rName);
...
rFile.delete();
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


fis = new FileInputStream(cfg.getProperty("sub")+".txt");
amt = fis.read(arr);
out.println(arr);


有人認為在行動環境中,典型的弱點 (例如 Path Manipulation) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼改寫 Example 1 以適用於 Android 平台。


...
        String rName = this.getIntent().getExtras().getString("reportName");
	File rFile = getBaseContext().getFileStreamPath(rName);
...
	rFile.delete();
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.java.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


...
var reportNameParam = "reportName=";
var reportIndex = document.indexOf(reportNameParam); 
if (reportIndex < 0) return; 
var rName = document.URL.substring(reportIndex+reportNameParam.length);
window.requestFileSystem(window.TEMPORARY, 1024*1024, function(fs) {
  fs.root.getFile('/usr/local/apfr/reports/' + rName, {create: false}, function(fileEntry) {
    fileEntry.remove(function() {
      console.log('File removed.');
    }, errorHandler);

  }, errorHandler);
}, errorHandler);
範例 2:以下程式碼使用來自本機儲存的輸入,來決定開啟哪個檔案並返回給使用者。如果惡意使用者能夠變更本機儲存的內容,便可以使用程式來讀取系統上副檔名為 .txt 的任何檔案。


...
var filename = localStorage.sub + '.txt';
function oninit(fs) {
  fs.root.getFile(filename, {}, function(fileEntry) {
    fileEntry.file(function(file) {
       var reader = new FileReader();
       reader.onloadend = function(e) {
         var txtArea = document.createElement('textarea');
         txtArea.value = this.result;
         document.body.appendChild(txtArea);
       };
       reader.readAsText(file);
    }, errorHandler);
  }, errorHandler);
}

window.requestFileSystem(window.TEMPORARY, 1024*1024, oninit, errorHandler);
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.javascript.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2.攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


val rName: String = request.getParameter("reportName")
val rFile = File("/usr/local/apfr/reports/$rName")
...
rFile.delete()
範例 2:以下程式碼使用來自組態設定檔案的輸入,來決定開啟哪個檔案並返回給使用者。如果程式以足夠的權限執行,而且惡意使用者可以變更組態設定檔案,則他們可以使用程式讀取系統上以副檔名 .txt 結尾的任何檔案。


fis = FileInputStream(cfg.getProperty("sub").toString() + ".txt")
amt = fis.read(arr)
out.println(arr)


有人認為在行動環境中,典型的弱點 (例如 Path Manipulation) 不會產生影響,因為使用者為何會攻擊自己呢?但是請謹記,行動平台的本質是從多種來源下載,並在相同裝置上一起執行的應用程式。在金融應用程式旁執行惡意程式碼的可能性很高,這必然會擴大行動應用程式的受攻擊面,將程序之間的通訊包括在內。

範例 3:以下程式碼改寫 Example 1 以適用於 Android 平台。


...
        val rName: String = getIntent().getExtras().getString("reportName")
        val rFile: File = getBaseContext().getFileStreamPath(rName)
...
        rFile.delete()
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.kotlin.path_manipulation
Abstract
攻擊者能夠控制檔案系統路徑,這會讓他們存取或修改本應受保護的檔案。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用使用者的輸入建立一個檔案路徑。程式設計師沒有考慮到攻擊者能夠提供不同檔案名稱的可能性,這可能會導致應用程式刪除非預期的檔案。


- (NSData*) testFileManager {

    NSString *rootfolder = @"/Documents/";
    NSString *filePath = [rootfolder stringByAppendingString:[fileName text]];

    NSFileManager *fm = [NSFileManager defaultManager];
    return [fm contentsAtPath:filePath];
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.objc.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


$rName = $_GET['reportName'];
$rFile = fopen("/usr/local/apfr/reports/" . rName,"a+");
...
unlink($rFile);
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


...
$filename = $CONFIG_TXT['sub'] . ".txt";
$handle = fopen($filename,"r");
$amt = fread($handle, filesize($filename));
echo $amt;
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.php.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


rName = req.field('reportName')
rFile = os.open("/usr/local/apfr/reports/" + rName)
...
os.unlink(rFile);
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


...
filename = CONFIG_TXT['sub'] + ".txt";
handle = os.open(filename)
print handle
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.python.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下的程式碼使用 HTTP 要求的輸入建立一個檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


rName = req['reportName']
File.delete("/usr/local/apfr/reports/#{rName}")
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


...
fis = File.new("#{cfg.getProperty("sub")}.txt")
amt = fis.read
puts amt
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.ruby.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2.攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「../../tomcat/conf/server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


def readFile(reportName: String) = Action { request =>
    val rFile = new File("/usr/local/apfr/reports/" + reportName)
    ...
    rFile.delete()
}
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


val fis = new FileInputStream(cfg.getProperty("sub")+".txt")
val amt = fis.read(arr)
out.println(arr)
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] FIO00-J. Do not operate on files in shared directories CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[23] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[24] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[25] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[27] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[28] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[41] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[42] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[43] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[67] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[68] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.scala.path_manipulation
Abstract
攻擊者能夠控制檔案系統路徑,這會讓他們存取或修改本應受保護的檔案。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用使用者的輸入建立一個檔案路徑。程式設計師沒有考慮到攻擊者能夠提供不同檔案名稱的可能性,這可能會導致應用程式刪除非預期的檔案。


func testFileManager() -> NSData {
    let filePath : String = "/Documents/\(fileName.text)"
    let fm : NSFileManager = NSFileManager.defaultManager()
    return fm.contentsAtPath(filePath)
}
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.swift.path_manipulation
Abstract
允許使用者輸入來控制檔案系統操作中使用的路徑,可讓攻擊者存取或修改原本受保護的系統資源。
Explanation
當發生以下兩種情況的時候,會產生 path manipulation 錯誤:

1.攻擊者可以指定在檔案系統操作中所使用的路徑。

2. 攻擊者可藉由指定資源來取得一般情況下不被允許的權限。

例如,程式可能會讓攻擊者能夠覆寫指定的檔案,或是能夠在攻擊者控制的組態下執行。
範例 1:以下程式碼使用 HTTP 要求的輸入建立檔案名稱。程式設計師沒有考慮到攻擊者能夠提供檔案名稱類似「..\conf\server.xml」的可能性,這會導致應用程式刪除本身其中一個組態設定檔案。


Dim rName As String
Dim fso As New FileSystemObject
Dim rFile as File
Set rName = Request.Form("reportName")
Set rFile = fso.GetFile("C:\reports\" & rName)
...
fso.DeleteFile("C:\reports\" & rName)
...
範例 2:以下程式碼使用來自配置檔案的輸入,來決定要開啟哪個檔案並返回給使用者。如果程式需要適當權限才能執行,且惡意使用者可以變更配置檔案,則他們可以使用程式來讀取系統中結尾副檔名為 .txt 的任意檔案。


Dim fileName As String
Dim tsContent As String
Dim ts As TextStream
Dim fso As New FileSystemObject

fileName = GetPrivateProfileString("MyApp", "sub", _
  "", value, Len(value), _
   App.Path & "\" & "Config.ini")
...
Set ts = fso.OpenTextFile(fileName,1)
tsContent = ts.ReadAll
Response.Write tsContent
...
References
[1] G. Hoglund, G. McGraw Exploiting Software Addison-Wesley
[2] Standards Mapping - Common Weakness Enumeration CWE ID 22, CWE ID 73
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [10] CWE ID 022
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [12] CWE ID 022
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [8] CWE ID 022
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [8] CWE ID 022
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [8] CWE ID 022
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [5] CWE ID 022, [12] CWE ID 020
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000345, CCI-002754
[10] Standards Mapping - FIPS200 SI
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[16] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), SI-10 Information Input Validation (P1)
[17] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, SI-10 Information Input Validation
[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.2 Sanitization and Sandboxing Requirements (L1 L2 L3), 12.3.1 File Execution Requirements (L1 L2 L3), 12.3.2 File Execution Requirements (L1 L2 L3)
[19] Standards Mapping - OWASP Mobile 2014 M8 Security Decisions Via Untrusted Inputs
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4, MASVS-PLATFORM-1
[22] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[23] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[24] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[25] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[26] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[27] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation
[40] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 426
[41] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 022
[42] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 022
[43] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[64] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[65] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002960 CAT II
[66] Standards Mapping - Web Application Security Consortium Version 2.00 Path Traversal (WASC-33)
[67] Standards Mapping - Web Application Security Consortium 24 + 2 Path Traversal
desc.dataflow.vb.path_manipulation

Missing XML Validation

Abstract
若無法在剖析 XML 時啟用驗證,攻擊者將有機會提供惡意輸入。
Explanation
最成功的攻擊往往是由破解程式設計師的假設開始。如果接受 XML 文件而不驗證該文件是否符合 DTD 或 XML 架構,程式設計師等於是放任攻擊者提供非預期、不合理或惡意的輸入。當然,一個 XML 剖析器不可能驗證文件的所有內容;換句話說,剖析器無法了解資料的完整語意。但是,剖析器可以進行完整且徹底的文件結構檢查,因此可以保證處理文件的程式碼中的內容形式是合法的。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 112
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[9] Standards Mapping - FIPS200 SI
[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[13] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[17] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[18] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[19] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[20] Standards Mapping - OWASP Top 10 2010 A1 Injection
[21] Standards Mapping - OWASP Top 10 2013 A1 Injection
[22] Standards Mapping - OWASP Top 10 2017 A1 Injection
[23] Standards Mapping - OWASP Top 10 2021 A03 Injection
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[36] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.abap.missing_xml_validation
Abstract
若無法在剖析 XML 時啟用驗證,攻擊者將有機會提供惡意輸入。
Explanation
最成功的攻擊往往是由破解程式設計師的假設開始。如果接受 XML 文件而不驗證該文件是否符合 DTD 或 XML 架構,程式設計師等於是放任攻擊者提供非預期、不合理或惡意的輸入。當然,一個 XML 解析器不可能驗證文件的所有內容;換句話說,解析器無法瞭解資料的完整語意。但是,解析器可以進行完整且徹底的文件結構檢查,因此可以保證處理文件的程式碼中的內容形式是合法的。
References
[1] XmlReader Class Microsoft
[2] XmlReaderSettings Class Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 112
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[11] Standards Mapping - FIPS200 SI
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[19] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[20] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[21] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[22] Standards Mapping - OWASP Top 10 2010 A1 Injection
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - OWASP Top 10 2021 A03 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.dotnet.missing_xml_validation
Abstract
若無法在剖析 XML 時啟用驗證,攻擊者將有機會提供惡意輸入。
Explanation
最成功的攻擊往往是由破解程式設計師的假設開始。如果接受 XML 文件而不驗證該文件是否符合 DTD 或 XML 架構,程式設計師等於是放任攻擊者提供非預期、不合理或惡意的輸入。當然,一個 XML 解析器不可能驗證文件的所有內容;換句話說,解析器無法了解資料的完整語意。但是,解析器可以進行完整且徹底的文件結構檢查,因此可以保證處理文件的程式碼中的內容形式是合法的。
References
[1] Xerces parser features The Apache Foundation
[2] XML Validation in J2SE 1.5 Sun Microsystems
[3] Axis User's Guide Apache Software Foundation
[4] IDS16-J. Prevent XML Injection CERT
[5] IDS17-J. Prevent XML External Entity Attacks CERT
[6] INJECT-3: XML and HTML generation requires care Oracle
[7] Standards Mapping - Common Weakness Enumeration CWE ID 112
[8] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020
[9] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020
[10] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020
[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020
[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020
[13] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[14] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001310, CCI-002385, CCI-002754
[15] Standards Mapping - FIPS200 SI
[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SI-10 Information Input Validation
[19] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 13.3.1 SOAP Web Service Verification Requirements (L1 L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[25] Standards Mapping - OWASP Top 10 2007 A2 Injection Flaws
[26] Standards Mapping - OWASP Top 10 2010 A1 Injection
[27] Standards Mapping - OWASP Top 10 2013 A1 Injection
[28] Standards Mapping - OWASP Top 10 2017 A1 Injection
[29] Standards Mapping - OWASP Top 10 2021 A03 Injection
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1, Requirement 6.5.6
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[38] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[39] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[40] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[41] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[64] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002390 CAT II, APSC-DV-002400 CAT II, APSC-DV-002530 CAT II, APSC-DV-002550 CAT I, APSC-DV-002560 CAT I
[65] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.controlflow.java.missing_xml_validation

Unreleased Resource: Streams

Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法絕對不會關閉它所開啟的檔案控制碼。StreamReaderFinalize() 方法最終會呼叫 Close(),但不確定何時會叫用 Finalize() 方法。事實上,不確定是否會叫用 Finalize()。在忙碌的環境中,這可能會導致 VM 用盡它所有能使用的檔案控制碼。


private void processFile(string fName) {
        StreamWriter sw = new StreamWriter(fName);
        string line;
        while ((line = sr.ReadLine()) != null)
                processLine(line);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource_streams
Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法絕對不會關閉它所開啟的檔案控制碼。用於 FileInputStreamfinalize() 方法最終會呼叫 close(),但是並不保證在叫用 finalize() 方法前會經過多少時間。因此,在繁忙的環境中,這可能會導致 JVM 用盡它所有的檔案控制碼。

private void processFile(String fName) throws FileNotFoundException, IOException {
  FileInputStream fis = new FileInputStream(fName);
  int sz;
  byte[] byteArray = new byte[BLOCK_SIZE];
  while ((sz = fis.read(byteArray)) != -1) {
    processBytes(byteArray, sz);
  }
}
References
[1] FIO04-J. Release resources when they are no longer needed CERT
[2] DOS-2: Release resources in all cases Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 772
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.java.unreleased_resource_streams
Abstract
此識別的函數有時無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。


資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法永遠不會關閉其讀取的串流。


...
CFIndex numBytes;
do {
    UInt8 buf[bufferSize];
    numBytes = CFReadStreamRead(readStream, buf, sizeof(buf));
    if( numBytes > 0 ) {
        handleBytes(buf, numBytes);
    } else if( numBytes < 0 ) {
        CFStreamError error = CFReadStreamGetError(readStream);
        reportError(error);
    }
} while( numBytes > 0 );
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.objc.unreleased_resource_streams
Abstract
程式可能會無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。

資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法絕對不會關閉它所開啟的檔案控制碼。

def readFile(filename: String): Unit = {
    val data = Source.fromFile(fileName).getLines.mkString
    // Use the data
}
References
[1] FIO04-J. Release resources when they are no longer needed CERT
[2] DOS-2: Release resources in all cases Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 772
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[19] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[20] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[43] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[44] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.scala.unreleased_resource_streams
Abstract
此識別的函數有時無法釋出系統資源。
Explanation
程式可能會無法釋出系統資源。


資源洩漏至少有兩種常見原因:

- 錯誤條件以及其他異常情況。

- 不確定程式的哪一部份負責釋放資源。

大部分的 Unreleased Resource 問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發資源洩漏的話,攻擊者就可能會藉由耗盡資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方法永遠不會關閉其讀取的串流。


...
        func leak(reading input: InputStream) {
            input.open()
            let bufferSize = 1024
            let buffer = UnsafeMutablePointer<UInt8>.allocate(capacity: bufferSize)
            while input.hasBytesAvailable {
                let read = input.read(buffer, maxLength: bufferSize)
            }
            buffer.deallocate(capacity: bufferSize)
        }
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-001133
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1), SC-10 Network Disconnect (P2)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection, SC-10 Network Disconnect
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002000 CAT II, APSC-DV-002400 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.swift.unreleased_resource_streams

AWS CloudFormation Misconfiguration: Improper EC2 Network Access Control

Abstract
範本定義一個存取權限制不足的 SecurityGroup。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。


"PSQLSecurityGroup": {
    "Type": "AWS::EC2::SecurityGroup",
    "Properties": {
        "VpcId": {
            "Ref": "VpcId"
        },
        "GroupDescription": "Enable PSQL access via port 5432 to world",
        "SecurityGroupIngress": [
            {
                "CidrIp": "0.0.0.0/0",
                "FromPort": 5432,
                "IpProtocol": "tcp",
                "ToPort": 5432
            }
        ]
    }
References
[1] Amazon Web Services AWS Documentation: AWS::EC2::SecurityGroupIngress
[2] Jesse Lepich and Michael Ingoldby AWS Security Blog: How to continuously audit and limit security groups with AWS Firewall Manager
[3] Jeffrey Lyon AWS Security Blog: How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
[4] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 5.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 749
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002038, CCI-002165
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SC-11 Trusted Path
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.json.aws_cloudformation_misconfiguration_improper_ec2_network_access_control.base
Abstract
範本定義一個存取權限制不足的 SecurityGroup。
Explanation
寬鬆的存取組態會將系統不必要地暴露在外,並擴大組織的受攻擊面。開放與公眾互動的服務會受到惡意實體幾乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。


PSQLSecurityGroup:
  Type: 'AWS::EC2::SecurityGroup'
  Properties:
    VpcId: !Ref VpcId
    GroupDescription: Enable PSQL access via port 5432 to world
    SecurityGroupIngress:
      - CidrIp: 0.0.0.0/0
        FromPort: 5432
        IpProtocol: tcp
        ToPort: 5432
References
[1] Amazon Web Services AWS Documentation: AWS::EC2::SecurityGroupIngress
[2] Jesse Lepich and Michael Ingoldby AWS Security Blog: How to continuously audit and limit security groups with AWS Firewall Manager
[3] Jeffrey Lyon AWS Security Blog: How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface
[4] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis
[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark Recommendation 5.2
[6] Standards Mapping - Common Weakness Enumeration CWE ID 749
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002038, CCI-002165
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), CM-5 Access Restrictions for Change (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, CM-5 Access Restrictions for Change, SC-3 Security Function Isolation, SC-11 Trusted Path
[14] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)
[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[34] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863
[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863
[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-002360 CAT II
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.yaml.aws_cloudformation_misconfiguration_improper_ec2_network_access_control.base

Unauthenticated Service: MongoDB

Abstract
應用程式會初始化 MongoDB 用戶端,但不設定任何認證。
Explanation
攻擊者可以鎖定未經驗證的 MongoDB 伺服器為目標,導致其中儲存的資料洩漏,具體取決於 MongoDB 的版本,透過危害伺服器達到涉足您內部網路的目的。

可能會針對 MongoDB 伺服器使用不同的攻擊方式,以對其基礎作業系統執行任意程式碼。例如,過去存在的弱點允許攻擊者將 Server-Side Javascript Injection 變換為遠端程式碼執行。用來儲存物件時,攻擊者也可能針對不同的語言 (例如 Java、Python、Ruby、PHP 等) 儲存還原序列化裝載,以便對還原序列化端點執行遠端程式碼。

請注意,即使沒有在外部暴露 MongoDB 伺服器,外部攻擊者仍可能透過同一網路上任意應用程式內的 Server-Side Request Forgery 弱點對其進行存取或連線到 REST API。例如,可能使用 HTTP 或 Gopher 通訊協定攻擊 MongoDB 伺服器。

如果未能在外部保護 MongoDB 連接埠,可能會對安全性有較大的影響。例如,外部攻擊者可使用單一 remove 指令來刪除整個資料集。最近,有關於惡意攻擊網際網路上公開執行的不安全 MongoDB 實例之報告。攻擊者刪除了資料庫,並要求支付贖金才會加以還原。
References
[1] MongoDB MongoDB Security
[2] Standards Mapping - Common Weakness Enumeration CWE ID 259
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-003109
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), IA-11 Re-Authentication (P0), SA-4 Acquisition Process (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SA-4 Acquisition Process, SC-11 Trusted Path, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[37] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.java.unauthenticated_service_mongodb
Abstract
應用程式會初始化 MongoDB 用戶端,但不設定任何認證。
Explanation
攻擊者可以鎖定未經驗證的 MongoDB 伺服器為目標,導致其中儲存的資料洩漏,具體取決於 MongoDB 的版本,透過危害伺服器達到涉足您內部網路的目的。

可能會針對 MongoDB 伺服器使用不同的攻擊方式,以對其基礎作業系統執行任意程式碼。 例如,過去存在的弱點允許攻擊者將 Server-Side Javascript Injection 變換為遠端程式碼執行。 用來儲存物件時,攻擊者也可能針對不同的語言 (例如 Java、Python、Ruby、PHP 等) 儲存還原序列化裝載,以便對還原序列化端點執行遠端程式碼。

請注意,即使沒有在外部暴露 MongoDB 伺服器,外部攻擊者仍可能透過同一網路上任意應用程式內的 Server-Side Request Forgery 弱點對其進行存取或連線到 REST API。 例如,可能使用 HTTP 或 Gopher 通訊協定攻擊 MongoDB 伺服器。

如果未能在外部保護 MongoDB 連接埠,可能會對安全性有較大的影響。 例如,外部攻擊者可使用單一 remove 指令來刪除整個資料集。 最近,有關於惡意攻擊網際網路上公開執行的不安全 MongoDB 實例之報告。 攻擊者刪除了資料庫,並要求支付贖金才會加以還原。
References
[1] MongoDB MongoDB Security
[2] Standards Mapping - Common Weakness Enumeration CWE ID 259
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [19] CWE ID 798
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287, [20] CWE ID 798
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287, [16] CWE ID 798
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287, [15] CWE ID 798
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287, [18] CWE ID 798
[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287, [22] CWE ID 798
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000196, CCI-001199, CCI-003109
[10] Standards Mapping - FIPS200 IA
[11] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-5 Authenticator Management (P1), IA-11 Re-Authentication (P0), SA-4 Acquisition Process (P1), SC-28 Protection of Information at Rest (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-5 Authenticator Management, SA-4 Acquisition Process, SC-11 Trusted Path, SC-28 Protection of Information at Rest
[14] Standards Mapping - OWASP API 2023 API2 Broken Authentication
[15] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.10.2 Service Authentication Requirements (L2 L3), 3.5.2 Token-based Session Management (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.4.1 Secret Management (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3), 10.2.3 Malicious Code Search (L3)
[16] Standards Mapping - OWASP Mobile 2014 M2 Insecure Data Storage
[17] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[18] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-STORAGE-1
[19] Standards Mapping - OWASP Top 10 2004 A8 Insecure Storage
[20] Standards Mapping - OWASP Top 10 2007 A8 Insecure Cryptographic Storage
[21] Standards Mapping - OWASP Top 10 2010 A7 Insecure Cryptographic Storage
[22] Standards Mapping - OWASP Top 10 2013 A6 Sensitive Data Exposure
[23] Standards Mapping - OWASP Top 10 2017 A3 Sensitive Data Exposure
[24] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.8, Requirement 8.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 1.2.6, Requirement 6.2.4, Requirement 6.5.3, Requirement 8.3.1
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 2.2 - Secure Defaults, Control Objective 5.1 - Authentication and Access Control
[37] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 259
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.python.unauthenticated_service_mongodb

Access Control: Privilege Escalation

Abstract
程式可能允許未獲授權的使用者執行為權限更高的使用者保留的指令。
Explanation
通常,SAP 應用程式中的授權檢查將針對執行應用程式的使用者 (登入的使用者) 執行。但是,可透過下列方式讓程式檢查不同使用者 (非登入的使用者) 的授權:
1. 在新增 FOR USER 的同時使用陳述式 AUTHORITY-CHECK
2. 透過指定的使用者呼叫函數模組 AUTHORITY_CHECK
3. 透過指定的使用者呼叫函數模組 SU_RAUTH_CHECK_FOR_USER

雖然這些檢查有時是必要的,但通常會造成權限提升的安全性風險。控制據以執行授權檢查之「使用者 id」輸入的惡意使用者,能夠欺騙系統提供已知的超級使用者 id (例如 SAP* 或 DDIC),讓其存取原本禁止該名使用者存取的內容。

即使使用者沒有直接控制用於授權檢查的「使用者 id」,研究對不同使用者的授權亦是一個不良的作法,必須予以避免。在執行授權檢查時,無需明確指定登入的使用者 (sy-uname)。此為預設行為 - 明確指定登入的使用者只會為漏洞利用攻擊開啟方便之門,sy-uname 在實際執行檢查之前可能會受到控制。因此,一般而言,建議跳過檢查對不同使用者的授權,並且不特別明確指定登入的使用者。

範例 1:下列程式碼會在呼叫可能執行任何 ABAP 程式的交易之前檢查使用者授權。


...
AUTHORITY-CHECK OBJECT 'S_TCODE' FOR USER v_user
ID 'TCD' FIELD 'SA38'.
IF sy-subrc = 0.
CALL TRANSACTION 'SA38'.
ELSE.
...


在這種情況下,未獲授權的使用者能夠藉由向變數 v_user 提供已知的超級使用者 (例如 SAP* 或 DDIC) 而啟動任何 ABAP 程式。
References
[1] SAP OSS Notes 20534, 179145, 136647 and related ones.
[2] Standards Mapping - Common Weakness Enumeration CWE ID 863
[3] Standards Mapping - Common Weakness Enumeration Top 25 2023 [24] CWE ID 863
[4] Standards Mapping - Common Weakness Enumeration Top 25 2024 [18] CWE ID 863
[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165, CCI-002754
[6] Standards Mapping - FIPS200 AC
[7] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), CM-5 Access Restrictions for Change (P1), IA-2 Identification and Authentication (Organizational Users) (P1), IA-11 Re-Authentication (P0), SC-3 Security Function Isolation (P1), SI-10 Information Input Validation (P1)
[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, CM-5 Access Restrictions for Change, IA-2 Identification and Authentication (Organizational Users), SC-3 Security Function Isolation, SC-11 Trusted Path, SI-10 Information Input Validation
[10] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[12] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[13] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control
[15] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access
[16] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access
[17] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control
[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[32] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[33] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[34] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II, APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I, APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I, APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I, APP3480.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I, APP3480.2 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I, APP3480.2 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I, APP3480.2 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001410 CAT II, APSC-DV-001520 CAT II, APSC-DV-001530 CAT II, APSC-DV-001540 CAT I, APSC-DV-002360 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization
desc.structural.abap.access_control_privilege_escalation

Axis 2 Service Provider Misconfiguration: Missing Inbound Timestamp

Abstract
缺少時間戳記會讓 SOAP 遭受重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息建立的時間。若攻擊者截取稍後重新傳輸的訊息,接收者可拒絕重複進行的攻擊,因為時間戳記顯示這是舊訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息、修改時間戳記並傳送給接收者。在這些情況下,攻擊者可能會誘使接收者接受惡意的訊息。

以下 Apache Axis 2 Rampart 組態會忽略 <items> 標籤中的 Timestamp 指令,因此服務中的要求不需要包含時間戳記。

<service>
...
      <action>
        <items>Signature Encrypt</items>
...
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 353
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3870 CAT I, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3870 CAT I, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3870 CAT I, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3870 CAT I, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3870 CAT I, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3870 CAT I, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_missing_inbound_timestamp

Axis 2 Service Provider Misconfiguration: Missing Outbound Timestamp

Abstract
缺少時間戳記會讓 SOAP 遭受重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息安全性資料建立的時間。若攻擊者截取稍後重新傳輸的訊息,接收者可拒絕重複進行的攻擊,因為時間戳記顯示這是舊訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息、修改時間戳記並傳送給接收者。在這些情況下,攻擊者可能誘使接收者接受惡意的訊息。

以下 Apache Axis 2 Rampart 組態會忽略 <items> 標籤中的 Timestamp 指令,因此服務不會傳送具有時間戳記的訊息。

<service>
...
   <parameter name="OutflowSecurity">
      <action>
        <items>Signature Encrypt</items>
...
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 353
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3870 CAT I, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3870 CAT I, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3870 CAT I, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3870 CAT I, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3870 CAT I, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3870 CAT I, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_missing_outbound_timestamp

Axis 2 Service Provider Misconfiguration: Unsigned Inbound Timestamp

Abstract
未簽署的時間戳記會讓 SOAP 訊息遭受纂改與重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息建立的時間。若攻擊者截取稍後重新傳輸的訊息,接收者可拒絕重複進行的攻擊,因為時間戳記顯示這是舊訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息、修改時間戳記並傳送該訊息。在這些情況下,攻擊者可能會誘使接收者接受惡意的訊息。

下列服務供應商組態要求 Axis 2 接受未簽署時間戳記的訊息:

<service>
...
	<parameter name="InflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_unsigned_inbound_timestamp

Axis 2 Service Provider Misconfiguration: Unsigned Outbound Timestamp

Abstract
未簽署的時間戳記會讓 SOAP 訊息遭受纂改與重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息安全語義的「建立時間」。若訊息遭到攔截並於稍後重新傳輸,接收者可拒絕此舊的訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息並修改時間戳記。在這些情況下,攻擊者可能會誘使接收者接受惡意的訊息。

下列服務供應商組態要求 Axis 2 傳送未簽署的時間戳記:

<service>
        ...
	<parameter name="OutflowSecurity">
		<action>
			<items>Timestamp Encrypt</items>
			...
		</action>
	</parameter>
</service>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Web Services Security: SOAP Message Security 1.1 OASIS
[3] Standards Mapping - Common Weakness Enumeration CWE ID 345
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[5] Standards Mapping - FIPS200 CM
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 13.2.6 RESTful Web Service Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3860 CAT II, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3860 CAT II, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3860 CAT II, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3860 CAT II, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3860 CAT II, APP3260 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3860 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[52] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_provider_misconfiguration_unsigned_outbound_timestamp

Axis 2 Service Requester Misconfiguration: Missing Inbound Timestamp

Abstract
缺少時間戳記會讓 SOAP 遭受重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息建立的時間。若攻擊者截取稍後重新傳輸的訊息,接收者可拒絕重複進行的攻擊,因為時間戳記顯示這是舊訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息、修改時間戳記並傳送給接收者。在這些情況下,攻擊者可能會誘使接收者接受惡意的訊息。

以下 Apache Axis 2 Rampart 組態會忽略 <items> 標籤中的 Timestamp 指令,所以用戶端的回應不需要包含時間戳記。

<axisconfig name="AxisJava2.0">
...
   <parameter name="InflowSecurity">
      <action>
        <items>Signature Encrypt</items>
...
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 353
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - FIPS200 CM
[5] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[10] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[11] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[12] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[15] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3870 CAT I, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3870 CAT I, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3870 CAT I, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3870 CAT I, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3870 CAT I, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3870 CAT I, APP3260 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[50] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_missing_inbound_timestamp

Axis 2 Service Requester Misconfiguration: Missing Outbound Timestamp

Abstract
缺少時間戳記會讓 SOAP 遭受重複進行的攻擊。
Explanation
安全性時間戳記可指示訊息安全性資料建立的時間。若攻擊者截取稍後重新傳輸的訊息,接收者可拒絕重複進行的攻擊,因為時間戳記顯示這是舊訊息。或者,時間戳記可包含一個有效期屬性,您可以使用該屬性以限制安全語義的有效時間。

若要防止攻擊者纂改時間戳記,則時間戳記必須已完成簽署。如果時間戳記並未經過簽署,攻擊者可能會在接收者未察覺的狀況下攔截 SOAP 訊息、修改時間戳記並傳送給接收者。在這些情況下,攻擊者可能誘使接收者接受惡意的訊息。

以下 Apache Axis 2 Rampart 組態會忽略 <items> 標籤中的 Timestamp 指令,因此用戶端不會傳送具有時間戳記的要求。

<axisconfig name="AxisJava2.0">
...
   <parameter name="OutflowSecurity">
      <action>
        <items>Signature Encrypt</items>
...
</axisconfig>
References
[1] Securing SOAP Messages with Rampart Apache Software Foundation
[2] Standards Mapping - Common Weakness Enumeration CWE ID 353
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-001941, CCI-001942, CCI-002418, CCI-002420, CCI-002421, CCI-002422
[4] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), SC-8 Transmission Confidentiality and Integrity (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), SC-8 Transmission Confidentiality and Integrity
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[9] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[11] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.3 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[25] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3870 CAT I, APP3260 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3870 CAT I, APP3260 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3870 CAT I, APP3260 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3870 CAT I, APP3260 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3870 CAT I, APP3260 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3870 CAT I, APP3260 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000180 CAT II, APSC-DV-000190 CAT I, APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[49] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.config.java.axis2_service_requester_misconfiguration_missing_outbound_timestamp