1437 找到的項目
弱點

Azure Terraform Misconfiguration: Weak App Service Authentication

Abstract
組態使用弱式驗證機制。
Explanation
弱式驗證機制會讓組織暴露於未經授權存取的風險。

驗證機制可能因各種原因而失敗,例如:
- 低強度密碼
- 驗證不當
- 低強度的認證管理
References
[1] Standards Mapping - CIS Microsoft Azure Foundations Benchmark Recommendation 9.1
[2] Standards Mapping - Common Weakness Enumeration CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[9] Standards Mapping - FIPS200 CM
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[17] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[20] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[21] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Functions Authentication

Abstract
組態使用弱式驗證機制。
Explanation
弱式驗證機制會讓組織暴露於未經授權存取的風險。

驗證機制可能因各種原因而失敗,例如:
- 低強度密碼
- 驗證不當
- 低強度的認證管理
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Linux Virtual Machines Authentication

Abstract
組態使用弱式驗證機制。
Explanation
弱式驗證機制會讓組織暴露於未經授權存取的風險。

驗證機制可能因各種原因而失敗,例如:
- 低強度密碼
- 驗證不當
- 低強度的認證管理
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Azure Terraform Misconfiguration: Weak Service Fabric Authentication

Abstract
組態使用弱式驗證機制。
Explanation
弱式驗證機制會讓組織暴露於未經授權存取的風險。

驗證機制可能因各種原因而失敗,例如:
- 低強度密碼
- 驗證不當
- 低強度的認證管理
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 287
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[19] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[20] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[48] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)
desc.structural.iac.misconfiguration_weak_authentication.base

Bean Manipulation

Abstract
攻擊者可設定可能危及系統完整性的任意 bean 屬性。
Explanation
Bean 屬性名稱和值在填入任何 bean 之前皆需驗證。Bean 填寫功能允許開發人員設定 bean 屬性或巢狀屬性。攻擊者可利用此功能存取類似於 class.classLoader 的特別 bean 屬性,這些屬性允許攻擊者取代系統屬性,並可能執行任意程式碼。

範例 1:以下程式碼會設定使用者控制的 bean 屬性,但不正常驗證屬性名稱或值:


String prop = request.getParameter('prop');
String value = request.getParameter('value');
HashMap properties = new HashMap();
properties.put(prop, value);
BeanUtils.populate(user, properties);
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 15
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[7] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization
[8] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[9] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[10] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[11] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.1
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.1
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.bean_manipulation

Biometric Authentication: Insecure Touch ID Implementation

Abstract
應用程式使用 LocalAuthentication 框架來驗證使用者,這可能無法滿足需要加強型安全性控制的應用程式的要求。
Explanation
以 Touch ID 為基礎的驗證能夠以兩種不同的類別實作:使用 LocalAuthentication 框架或使用以 Touch ID 為基礎的存取控制 (在金鑰鏈服務中)。

雖然這兩種方式對大多數應用程式而言足夠強大,但 LocalAuthentication 方法具有的某些特性,使其不太適用於高風險的應用程式 (例如金融、醫療和保險):

-LocalAuthentication 在裝置的 Secure Enclave 外部定義,意味著可以在已破解的裝置上連結和修改其 API。
-LocalAuthentication 透過評估上下文策略 (可能僅評估為 truefalse) 來驗證使用者。此布林值評估表示應用程式將無法得知真正經過驗證的使用者,它只知道是否使用了向裝置註冊的指紋。此外,未來可能註冊的指紋也會成功評估為 true


範例 1:以下程式碼使用 LocalAuthentication 框架來執行使用者驗證:


    ...
    LAContext *context = [[LAContext alloc] init];  
    NSError *error = nil;  
    NSString *reason = @"Please authenticate using the Touch ID sensor.";
    
    if ([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) {  
        [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
            localizedReason:reason
                reply:^(BOOL success, NSError *error) {
                    if (success) {
                        // Fingerprint was authenticated
                    } else {
                        // Fingerprint could not be authenticated
                    }
            }
        ];
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.objc.biometric_authentication_insecure_touch_id_implementation
Abstract
應用程式使用 LocalAuthentication 框架來驗證使用者,這可能無法滿足需要加強型安全性控制的應用程式的要求。
Explanation
以 Touch ID 為基礎的驗證能夠以兩種不同的類別實作:使用 LocalAuthentication 框架或使用以 Touch ID 為基礎的存取控制 (在金鑰鏈服務中)。

雖然這兩種方式對大多數應用程式而言足夠強大,但 LocalAuthentication 方法具有的某些特性,使其不太適用於高風險的應用程式 (例如金融、醫療和保險):

-LocalAuthentication 在裝置的 Secure Enclave 外部定義,意味著可以在已破解的裝置上連結和修改其 API。
-LocalAuthentication 透過評估上下文策略 (可能僅評估為 truefalse) 來驗證使用者。此布林值評估表示應用程式將無法得知真正經過驗證的使用者,它只知道是否使用了向裝置註冊的指紋。此外,未來可能註冊的指紋也會成功評估為 true


範例 1:以下程式碼使用 LocalAuthentication 框架來執行使用者驗證:


    ...
    let context:LAContext = LAContext();  
    var error:NSError?  
    let reason:String = "Please authenticate using the Touch ID sensor."
    
    if (context.canEvaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, error: &error))  {
        context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: reason, reply: { (success, error) -> Void in
            if (success) {
                // Fingerprint was authenticated
            }
            else {
                // Fingerprint could not be authenticated
            }
        })
    }
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.swift.biometric_authentication_insecure_touch_id_implementation

Biometric Authentication: Insufficient Touch ID Protection

Abstract
應用程式使用 Touch ID 在金鑰鏈中儲存某個項目,但無法將有效指紋限制為儲存金鑰鏈項目時可用的指紋。
Explanation
以 Touch ID 為基礎的驗證可使用金鑰鏈服務進行實作,方法是,將某個項目儲存在金鑰鏈中,並設定要求使用者稍後使用其指紋擷取項目的存取控制。以下策略可用於定義使用者如何使用指紋進行驗證。

-kSecAccessControlUserPresence:限制使用 Touch ID 或密碼進行存取。不一定非要提供或註冊 Touch ID。即使新增或移除指紋,仍可透過 Touch ID 存取項目。
-kSecAccessControlTouchIDAny:限制使用 Touch ID 中任何註冊的指紋進行存取。新增或移除指紋不會使項目失效。
-kSecAccessControlTouchIDCurrentSet:限制使用 Touch ID 中目前註冊的指紋進行存取。新增或移除指紋會使項目失效。

使用 Touch ID 時,應使用 kSecAccessControlTouchIDCurrentSet 屬性,以免指紋在未來被新增或移除。

範例 1:以下程式碼使用 kSecAccessControlTouchIDAny 限制,該限制允許任何未來註冊的指紋來解除鎖定金鑰鏈項目:


    ...
    SecAccessControlRef sacRef = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                 kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                 kSecAccessControlTouchIDCurrentSet, 
                 nil);
    NSMutableDictionary *dict = [NSMutableDictionary dictionary];
    [dict setObject:(__bridge id)kSecClassGenericPassword forKey:(__bridge id) kSecClass];
    [dict setObject:account forKey:(__bridge id)kSecAttrAccount];
    [dict setObject:service forKey:(__bridge id) kSecAttrService];
    [dict setObject:token forKey:(__bridge id)kSecValueData];
    ...
    [dict setObject:sacRef forKey:(__bridge id)kSecAttrAccessControl];
    [dict setObject:@"Please authenticate using the Touch ID sensor." forKey:(__bridge id)kSecUseOperationPrompt];

    dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
        OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dict, nil);
    });
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.objc.biometric_authentication_insufficient_touch_id_protection
Abstract
應用程式使用 Touch ID 在金鑰鏈中儲存某個項目,但無法將有效指紋限制為儲存金鑰鏈項目時可用的指紋。
Explanation
以 Touch ID 為基礎的驗證可使用金鑰鏈服務進行實作,方法是,將某個項目儲存在金鑰鏈中,並設定要求使用者稍後使用其指紋擷取項目的存取控制。以下策略可用於定義使用者如何使用指紋進行驗證。

-kSecAccessControlUserPresence:限制使用 Touch ID 或密碼進行存取。不一定非要提供或註冊 Touch ID。即使新增或移除指紋,仍可透過 Touch ID 存取項目。
-kSecAccessControlTouchIDAny:限制使用 Touch ID 中任何註冊的指紋進行存取。新增或移除指紋不會使項目失效。
-kSecAccessControlTouchIDCurrentSet:限制使用 Touch ID 中目前註冊的指紋進行存取。新增或移除指紋會使項目失效。

使用 Touch ID 時,應使用 kSecAccessControlTouchIDCurrentSet 屬性,以免指紋在未來被新增或移除。

範例 1:以下程式碼使用 kSecAccessControlTouchIDAny 限制,該限制允許任何未來註冊的指紋來解除鎖定金鑰鏈項目:


    ...
    let flags = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
        .TouchIDAny, 
        nil)

    var query = [String : AnyObject]()
    query[kSecClass as String] = kSecClassGenericPassword
    query[kSecAttrService as String] = service as AnyObject?
    query[kSecAttrAccount as String] = account as AnyObject?
    query[kSecValueData as String] = secret as AnyObject?
    ...
    query[kSecAttrAccessControl as String] = sacRef
    query[kSecUseOperationPrompt as String] = "Please authenticate using the Touch ID sensor."

    SecItemAdd(query as CFDictionary, nil)
    ...
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Integrating Touch ID Into Your iOS Applications Cigital
[3] Don't Touch Me That Way nVisium
[4] SecAccessControlCreateFlags Apple
[5] Standards Mapping - Common Weakness Enumeration CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958
[13] Standards Mapping - FIPS200 CM, SC
[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1)
[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication
[17] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[18] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[19] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[20] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
[21] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[22] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[23] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[24] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls
[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.dataflow.swift.biometric_authentication_insufficient_touch_id_protection

Biometric Authentication: Missing Operation Message

Abstract
應用程式要求使用者輸入其指紋,但未提供正當理由。
Explanation
根據 Apple 的策略,應用程式應總是向使用者解釋要求其輸入指紋的原因。如果沒有這樣做,可能會讓使用者感到困惑,甚至使應用程式在 AppStore 中遭到拒絕。

範例 1:以下程式碼使用 Touch ID 來驗證使用者,但未提供本地化原因來解釋為什麼要求進行驗證。


    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:nil
        reply:^(BOOL success, NSError *error) {
            if (success) {
                NSLog(@"Auth was OK");
            } 
    }];
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.objc.biometric_authentication_missing_operation_message
Abstract
應用程式要求使用者輸入其指紋,但未提供正當理由。
Explanation
根據 Apple 的策略,應用程式應總是向使用者解釋要求其輸入指紋的原因。如果沒有這樣做,可能會讓使用者感到困惑,甚至使應用程式在 AppStore 中遭到拒絕。

範例 1:以下程式碼使用 Touch ID 來驗證使用者,但未提供本地化原因來解釋為什麼要求進行驗證。


    context.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "", reply: { (success, error) -> Void in
        if (success) {
            print("Auth was OK");
        }
        else {
            print("Error received: %d", error!);
        }
    })
References
[1] David Thiel iOS Application Security: The Definitive Guide for Hackers and Developers No Starch Press
[2] Keychain and Authentication with Touch ID Apple
[3] https://developer.apple.com/reference/localauthentication/lacontext Apple
[4] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[5] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[6] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-AUTH-1, MASVS-AUTH-2
desc.structural.swift.biometric_authentication_missing_operation_message

Buffer Overflow

Abstract
在分派的記憶體區塊界線外寫入資料會導致資料毀損、程式當機或惡意程式碼的執行。
Explanation
Buffer overflow 可能是軟體安全性弱點最為人知的一種形式。大部分軟體開發人員都知道什麼是 Buffer overflow 弱點,但傳統和新開發的應用程式仍常遭到 Buffer overflow 攻擊。此問題的部份原因是,發生 Buffer overflow 的方式很多,部分原因是人們常常用不恰當的方式來防範 Buffer overflow。

在典型的 Buffer overflow 攻擊中,攻擊者會將資料傳送到程式,而程式會將其儲存在一個較小的堆疊緩衝區內。結果就是呼叫這個堆疊的資訊超出了它的邊界,其中包括函數的回傳指標。該資料設定了回傳指標的值,當函數回傳時,會將控制傳送到攻擊者資料所包含的惡意程式碼。

這類型的堆疊 Buffer overflow 在一些平台和開發社群中仍然很常見,但卻還有多種其他類型的 Buffer overflow,包括堆積 Buffer overflow 和差一錯誤 (off-by-one-error) 等等。有許多優秀的著作提供了關於堆疊 Buffer overflow 如何攻擊的具體資訊,包括 Building Secure Software[1]、Writing Secure Code[2]和 The Shellcoder's Handbook[3]。

在程式碼層級,會發生 Buffer overflow 弱點通常是因為程式設計師的假設被推翻。許多在 C 和 C++ 的記憶體操作函數不執行範圍檢查,且可以輕易地覆寫所操作的緩衝區已分配的範圍。甚至如 strncpy() 的範圍函數,使用不正確時也會引起弱點。大多數 Buffer overflow 弱點的根本原因,都是緩衝區的處理,加上對資料的大小或組成假設錯誤。

Buffer overflow 弱點通常出現在這樣的程式碼中:

- 依靠外部資料來控制運作方式者。

- 仰賴被強制位於程式碼臨接範圍外的資料特性者。

- 程式碼複雜到程式設計師不能準確預測到其運作方式者。



以下範例顯示了這三種情況。

範例 1.a:接下來的程式碼範例展示了通常由第一種情況導致的簡單 Buffer overflow,即靠外部資料控制運作方式者。程式碼使用 gets() 函數,將一個任意長度的資料讀取到堆疊緩衝區。因為沒有什麼方法可以限制這個函數讀取的資料量,所以使用者輸入的字元數必須少於 BUFSIZE,以確保程式碼的安全性。


	...
	char buf[BUFSIZE];
	gets(buf);
	...
範例 1.b:此範例顯示只要使用 >> 運算子將輸入讀取到 char[] 字串中,即可輕易模仿 C++ 中 gets() 函數不安全的運作方式。


	...
	char buf[BUFSIZE];
	cin >> (buf);
	...
範例 2:雖然這個範例中的程式碼也是依賴於使用者的輸入來控制它的運作方式,但是它會藉由使用邊界記憶體複製函數 memcpy() 增加一個間接的層面。此函數接受目的緩衝區、來源緩衝區,以及要複製的位元組數量。輸入緩衝區由 read() 的範圍呼叫所填滿,但使用者指定 memcpy() 要複製的位元組數量。


	...
char buf[64], in[MAX_SIZE];
printf("Enter buffer contents:\n");
read(0, in, MAX_SIZE-1);
printf("Bytes to copy:\n");
scanf("%d", &bytes);
memcpy(buf, in, bytes);
	...


注意:這個類型的 Buffer overflow 弱點 (程式讀取資料,然後信賴其他資料上後續記憶體操作中的一個數值) 在圖形、音頻和其他的檔案處理庫中發生次數頻繁。

範例 3:這是第二種情況的範例,其中的程式碼根據非本地驗證的資料特性而異。在這個範例中,一個名為 lccopy() 的函數將一個字串做為引數讀取,然後將這個字串中所有的大寫字母轉化成小寫字母回傳一個堆疊分配的字串副本。這個函數不會對其輸入執行範圍檢查,因為程式預期 str 始終小於 BUFSIZE。如果攻擊者避開對呼叫 lccopy() 的程式碼的測試,或者,如果程式碼有什麼變化,使得關於 str 長度的假設失真,那麼 lccopy() 就會在 strcpy() 超出邊界的呼叫過程中溢位 buf


char *lccopy(const char *str) {
	char buf[BUFSIZE];
	char *p;

	strcpy(buf, str);
	for (p = buf; *p; p++) {
		if (isupper(*p)) {
			*p = tolower(*p);
		}
	}
	return strdup(buf);
}
範例 4:下列程式碼示範了第三種情況,其中程式碼太過複雜以致無法輕易預測其行為。這段程式碼來自於主流的 libPNG 圖像解碼器,此解碼器廣泛用於多種應用程式。

該程式碼似乎能安全執行界限檢查,因為它檢查了變數長度的大小,之後這會被用來控制 png_crc_read() 複製的資料量。不過,在測試長度之前,程式碼會立即對 png_ptr->mode 執行檢查。檢查失敗時,系統會發出警告,而處理會繼續執行下去。由於 length 會在一個 else if 區塊中進行測試,所以當第一個檢查失敗時,就不會測試 length;且在呼叫 png_crc_read() 期間對其的盲目使用易引發堆疊 Buffer overflow。

雖然這個範例中的程式碼不是我們所見到的當中最複雜的一個,但是它解釋了為什麼執行緩衝區操作的程式碼的複雜度應該減到最低。


if (!(png_ptr->mode & PNG_HAVE_PLTE)) {
	/* Should be an error, but we can cope with it */
png_warning(png_ptr, "Missing PLTE before tRNS");
}
else if (length > (png_uint_32)png_ptr->num_palette) {
png_warning(png_ptr, "Incorrect tRNS chunk length");
png_crc_finish(png_ptr, length);
return;
}
...
png_crc_read(png_ptr, readbuf, (png_size_t)length);
範例 5:此範例同樣證明了第三種情況,程式的複雜性將 Buffer overflow 的問題暴露出來。在此案例中,弱點歸咎於函數某個不明確的介面,而不是程式碼的結構 (就如同前面一個範例中所描述的)。

getUserInfo() 函數採用一個定義為多位元組字元串的使用者名和一個指標來組成使用者資訊的結構,並將使用者資訊填入這個結構。因為 Windows 對使用者名稱的 authentication 是使用統一的字元編碼標準,所以 username 是第一個從多位元組字元串轉換成統一字元編碼標準的字串的參數。函數接著會不正確地以位元組而非字元傳送 unicodeUser 的大小。呼叫 MultiByteToWideChar() 可能會因此而將最多 (UNLEN+1)*sizeof(WCHAR) 個寬字元,或
(UNLEN+1)*sizeof(WCHAR)*sizeof(WCHAR) 個位元組寫入 unicodeUser 陣列,而僅為該陣列分配了 (UNLEN+1)*sizeof(WCHAR) 個位元組。如果 username 字串包含了多於 UNLEN 的字元,那麼呼叫 MultiByteToWideChar() 將會溢出 unicodeUser 緩衝區。


void getUserInfo(char *username, struct _USER_INFO_2 info){
WCHAR unicodeUser[UNLEN+1];
	MultiByteToWideChar(CP_ACP, 0, username, -1,
    	      			unicodeUser, sizeof(unicodeUser));
NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info);
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] About Strsafe.h Microsoft
[5] Standards Mapping - Common Weakness Enumeration CWE ID 120, CWE ID 129, CWE ID 131, CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [3] CWE ID 020, [12] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [3] CWE ID 020, [2] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787, [4] CWE ID 020, [17] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787, [4] CWE ID 020, [19] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787, [6] CWE ID 020, [17] CWE ID 119
[11] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754, CCI-002824
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 18-0-5
[17] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3, Rule 21.2.2
[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3), 5.4.1 Memory/String/Unmanaged Code Requirements (L1 L2 L3), 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3), 14.1.2 Build (L2 L3)
[21] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[22] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[23] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[24] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[25] Standards Mapping - OWASP Top 10 2013 A1 Injection
[26] Standards Mapping - OWASP Top 10 2017 A1 Injection
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[38] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[39] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[40] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 120, Risky Resource Management - CWE ID 129, Risky Resource Management - CWE ID 131
[41] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 120, Risky Resource Management - CWE ID 131
[42] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3590.1 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3590.1 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[63] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I, APSC-DV-002590 CAT I
[64] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[65] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.dataflow.cpp.buffer_overflow

Buffer Overflow: Format String

Abstract
程式使用不正確的邊界 Format String,讓程式可寫入分配記憶體邊界以外的位置。此運作方式可能會導致資料毀損、程式當機,或惡意程式碼的執行。
Explanation
Buffer overflow 可能是軟體安全性弱點最為人知的一種形式。大部分軟體開發人員都知道什麼是 Buffer overflow 弱點,但傳統和新開發的應用程式仍常遭到 Buffer overflow 攻擊。此問題的部份原因是,發生 Buffer overflow 的方式很多,部分原因是人們常常用不恰當的方式來防範 Buffer overflow。

在典型的 Buffer overflow 攻擊中,攻擊者會將資料傳送到程式,而程式會將其儲存在一個較小的堆疊緩衝區內。結果就是呼叫這個堆疊的資訊超出了它的邊界,其中包括函數的回傳指標。該資料設定了回傳指標的值,當函數回傳時,會將控制傳送到攻擊者資料所包含的惡意程式碼。

這類型的堆疊 Buffer overflow 在一些平台和開發社群中仍然很常見,但卻還有多種其他類型的 Buffer overflow,包括堆積 Buffer overflow 和差一錯誤 (off-by-one-error) 等等。有許多優秀的著作提供了關於堆疊 Buffer overflow 如何攻擊的具體資訊,包括 Building Secure Software[1]、Writing Secure Code[2]和 The Shellcoder's Handbook[3]。

在程式碼層級,會發生 Buffer overflow 弱點通常是因為程式設計師的假設被推翻。C 和 C++ 中的很多記憶體處理函數都沒有執行邊界值檢查,並會輕易地超出操作中緩衝區被配置的邊界值。甚至如 strncpy() 的範圍函數,使用不正確時也會引起弱點。大多數 Buffer overflow 弱點的根本原因,都是緩衝區的處理,加上對資料的大小或組成假設錯誤。

在此案例中,錯誤建構的 Format String 會導致程式寫入分配記憶體邊界以外的位置。

範例 1:以下程式碼溢出 c,因為 double 類型所需的空間大於為 c 所配置的空間。


void formatString(double d) {
    char c;

    scanf("%d", &c)
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 134, CWE ID 787
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.2 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[23] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[24] Standards Mapping - OWASP Top 10 2013 A1 Injection
[25] Standards Mapping - OWASP Top 10 2017 A1 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[39] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 134
[40] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[62] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[63] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_format_string

Buffer Overflow: Format String (%f/%F)

Abstract
程式使用包含了%f 或%F 浮動指標規範的錯誤邊界 Format String。預期外的大浮動指標值會使得程式將資料寫入分配記憶體邊界以外的位置,導致檔案毀損、程式當機,或惡意程式碼的執行。
Explanation
Buffer overflow 可能是軟體安全性弱點最為人知的一種形式。大部分軟體開發人員都知道什麼是 Buffer overflow 弱點,但傳統和新開發的應用程式仍常遭到 Buffer overflow 攻擊。此問題的部份原因是,發生 Buffer overflow 的方式很多,部分原因是人們常常用不恰當的方式來防範 Buffer overflow。

在典型的 Buffer overflow 攻擊中,攻擊者會將資料傳送到程式,而程式會將其儲存在一個較小的堆疊緩衝區內。結果就是呼叫這個堆疊的資訊超出了它的邊界,其中包括函數的回傳指標。該資料設定了回傳指標的值,當函數回傳時,會將控制傳送到攻擊者資料所包含的惡意程式碼。

這類型的堆疊 Buffer overflow 在一些平台和開發社群中仍然很常見,但卻還有多種其他類型的 Buffer overflow,包括堆積 Buffer overflow 和差一錯誤 (off-by-one-error) 等等。有許多優秀的著作提供了關於堆疊 Buffer overflow 如何攻擊的具體資訊,包括 Building Secure Software[1]、Writing Secure Code[2]和 The Shellcoder's Handbook[3]。

在程式碼層級,會發生 Buffer overflow 弱點通常是因為程式設計師的假設被推翻。C 和 C++ 中的很多記憶體處理函數都沒有執行邊界值檢查,並會輕易地超出操作中緩衝區被配置的邊界值。甚至如 strncpy() 的範圍函數,使用不正確時也會引起弱點。大多數 Buffer overflow 弱點的根本原因,都是緩衝區的處理,加上對資料的大小或組成假設錯誤。

在此案例中,錯誤建構的 Format String 會導致程式寫入分配記憶體邊界以外的位置。

範例 1:以下程式碼溢出 buf,因為視 f 的大小而定,Format String 規範 "%d %.1f ... " 會超出配置的記憶體容量。


void formatString(int x, float f) {
   char buf[40];
   sprintf(buf, "%d %.1f ... ", x, f);
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 787
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[38] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 134
[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3560 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[61] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[62] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_format_string_%f_%F

Buffer Overflow: Off-by-One

Abstract
程式只會寫入超過分派記憶體邊界的位置,導致檔案毀損、程式當機,或惡意程式碼的執行。
Explanation
Buffer overflow 可能是軟體安全性弱點最為人知的一種形式。大部分軟體開發人員都知道什麼是 Buffer overflow 弱點,但傳統和新開發的應用程式仍常遭到 Buffer overflow 攻擊。此問題的部份原因是,發生 Buffer overflow 的方式很多,部分原因是人們常常用不恰當的方式來防範 Buffer overflow。

在典型的 Buffer overflow 攻擊中,攻擊者會將資料傳送到程式,而程式會將其儲存在一個較小的堆疊緩衝區內。結果就是呼叫這個堆疊的資訊超出了它的邊界,其中包括函數的回傳指標。該資料設定了回傳指標的值,當函數回傳時,會將控制傳送到攻擊者資料所包含的惡意程式碼。

這類型的差一錯誤 (off-by-one error) 在一些平台和開發社群中仍然很常見,但卻還有多種其他類型的 Buffer overflow,包括堆疊和堆積 Buffer overflow 等等。有許多優秀的著作提供了關於堆疊 Buffer overflow 如何攻擊的具體資訊,包括 Building Secure Software[1]、Writing Secure Code[2]和 The Shellcoder's Handbook[3]。

在程式碼層級,會發生 Buffer overflow 弱點通常是因為程式設計師的假設被推翻。C 和 C++ 中的很多記憶體處理函數都沒有執行邊界值檢查,並會輕易地超出操作中緩衝區被配置的邊界值。甚至如 strncpy() 的範圍函數,使用不正確時也會引起弱點。大多數 Buffer overflow 弱點的根本原因,都是緩衝區的處理,加上對資料的大小或組成假設錯誤。

範例 1:以下程式碼包含差一錯誤 (off-by-one error) Buffer Overflow,它是在 recv 傳回 sizeof(buf) 位元組讀取允許上限時發生。在此案例中,後續解除參照 buf[nbytes] 將會在配置記憶體邊界以外寫入 null 位元組。


void receive(int socket) {
   char buf[MAX];
   int nbytes = recv(socket, buf, sizeof(buf), 0);
   buf[nbytes] = '\0';
   ...
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 129, CWE ID 131, CWE ID 193, CWE ID 787, CWE ID 805
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [3] CWE ID 020, [12] CWE ID 787
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [3] CWE ID 020, [2] CWE ID 787
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [1] CWE ID 787, [4] CWE ID 020, [17] CWE ID 119
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [1] CWE ID 787, [4] CWE ID 020, [19] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [1] CWE ID 787, [6] CWE ID 020, [17] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [2] CWE ID 787, [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1, Rule 18-0-5
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3, Rule 21.2.2
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)
[20] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[22] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[23] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[24] Standards Mapping - OWASP Top 10 2013 A1 Injection
[25] Standards Mapping - OWASP Top 10 2017 A1 Injection
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[38] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 119
[39] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 805, Risky Resource Management - CWE ID 129, Risky Resource Management - CWE ID 131
[40] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 131
[41] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3590.1 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3590.1 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3590.1 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[60] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[61] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[62] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[63] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[64] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_off_by_one

Buffer Overflow: Signed Comparison

Abstract
此程式使用有符號比較法來檢查之後被視為無符號變數的值。這將會導致程式寫入分配記憶體邊界以外的位置,導致資料毀損、程式當機,或惡意程式碼的執行。
Explanation
Buffer overflow 可能是軟體安全性弱點最為人知的一種形式。大部分軟體開發人員都知道什麼是 Buffer overflow 弱點,但傳統和新開發的應用程式仍常遭到 Buffer overflow 攻擊。此問題的部份原因是,發生 Buffer overflow 的方式很多,部分原因是人們常常用不恰當的方式來防範 Buffer overflow 。

在典型的 Buffer overflow 攻擊中,攻擊者會將資料傳送到程式,而程式會將其儲存在一個較小的堆疊緩衝區內。結果就是呼叫這個堆疊的資訊超出了它的邊界,其中包括函數的回傳指標。該資料設定了回傳指標的值,當函數回傳時,會將控制傳送到攻擊者資料所包含的惡意程式碼。

這類型的堆疊 Buffer overflow 在一些平台和開發社群中仍然很常見,但卻還有多種其他類型的 Buffer overflow ,包括堆積 Buffer overflow 和差一錯誤 (off-by-one-error) 等等。有許多優秀的著作提供了關於堆疊 Buffer overflow 如何攻擊的具體資訊,包括 Building Secure Software[1]、Writing Secure Code[2]和 The Shellcoder's Handbook[3]。

在程式碼層級,會發生 Buffer overflow 弱點通常是因為程式設計師的假設被推翻。C 和 C++ 中的很多記憶體處理函數都沒有執行邊界值檢查,並會輕易地超出操作中緩衝區被配置的邊界值。甚至如 strncpy() 的範圍函數,使用不正確時也會引起弱點。大多數 Buffer overflow 弱點的根本原因,都是緩衝區的處理,加上對資料的大小或組成假設錯誤。

範例 1:以下程式碼藉由檢查從 getInputLength() 讀取的不信賴值要小於目的緩衝區 output 的大小,來嘗試避免 off-by-one Buffer Overflow 的發生。但由於 lenMAX 的比較為有符號比較法,所以若 len 為負數值,當其轉換為 memcpy() 的無符號引數時,就會變成非常大的正數值。


void TypeConvert() {
   char input[MAX];
   char output[MAX];

   fillBuffer(input);
   int len = getInputLength();

   if (len <= MAX) {
      memcpy(output, input, len);
   }
   ...
}
References
[1] J. Viega, G. McGraw Building Secure Software Addison-Wesley
[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press
[3] J. Koziol et al. The Shellcoder's Handbook: Discovering and Exploiting Security Holes John Wiley & Sons
[4] Standards Mapping - Common Weakness Enumeration CWE ID 195, CWE ID 805
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [17] CWE ID 119
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [19] CWE ID 119
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [17] CWE ID 119
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [20] CWE ID 119
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002824
[12] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[14] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3, Rule 21.17
[15] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[16] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1), SI-16 Memory Protection (P1)
[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation, SI-16 Memory Protection
[19] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[20] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[21] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[22] Standards Mapping - OWASP Top 10 2004 A5 Buffer Overflow
[23] Standards Mapping - OWASP Top 10 2013 A1 Injection
[24] Standards Mapping - OWASP Top 10 2017 A1 Injection
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.2
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.2
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.2
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.2
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.2
[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.2 - Terminal Software Attack Mitigation
[37] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 805
[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3550 CAT I, APP3590.1 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3550 CAT I, APP3590.1 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3550 CAT I, APP3590.1 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3550 CAT I, APP3590.1 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3550 CAT I, APP3590.1 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3550 CAT I, APP3590.1 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3550 CAT I, APP3590.1 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002590 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002590 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002590 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002590 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002590 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002590 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002590 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002590 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002590 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002590 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002590 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002590 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002590 CAT I
[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[59] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002590 CAT I
[60] Standards Mapping - Web Application Security Consortium Version 2.00 Buffer Overflow (WASC-07)
[61] Standards Mapping - Web Application Security Consortium 24 + 2 Buffer Overflow
desc.internal.cpp.buffer_overflow_signed_comparison

Build Misconfiguration: Dynamic Dependency Version Usage

Abstract
使用動態版本擷取建置的 dependency,會使 build system 易受惡意二進位程式的侵害或造成系統產生意外的運作方式。
Explanation
利用 Apache Ivy 自動化 dependency 管理系統,使用者可為 dependency 指定版本狀態 (也稱為動態版本),而非列出特定版本。如果攻擊者能夠危害 dependency 儲存庫,或欺騙 build system 從攻擊者控制的儲存庫下載 dependency,那麼 build system 只需下載動態修正說明符號,而該說明符號可能執行受危害的 dependency。除了安全性風險之外,動態修正還會為 Code Quality 帶來下列風險:動態修正使軟體的安全性和穩定性受控於第三方,即開發和發行軟體所使用的 dependency 的第三方。

在建置過程中,Ivy 會連接到儲存庫並企圖擷取與所列出狀態相符的 dependency。

Ivy 接受以下的動態修正說明符號:

- latest.integration:選擇 dependency 模組的最新修正。
- latest.[any status]:選擇至少處於指定狀態的 dependency 模組的最新修正。例如,latest.milestone 會選擇重要的修正版本,或是發行版本,而 latest.release 僅會選擇最新發行版本。
- 任何結尾為 + 的修正:選擇 dependency 模組的最新子修正。例如,如果 dependency 存在於 1.0.3、1.0.7 及 1.1.2 修正版本中,則指定為 1.0.+ 的修正版本會選擇 1.0.7 修正版本。
- 版本範圍:表示範圍的數學符號 (例如 ) 可用來對應版本的範圍。

範例 1:以下的組態項目會指示 Ivy 擷取 clover 元件的最新發行版本:


<dependencies>
        <dependency org="clover" name="clover"
                    rev="latest.release" conf="build->*"/>
	...


如果儲存庫受到危害,攻擊者可很容易便上傳符合動態標準的版本,使 Ivy 下載 dependency 的惡意版本。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-11 User-Installed Software (P1), SC-18 Mobile Code (P2)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-11 User-Installed Software, CM-14 Signed Components, SC-18 Mobile Code
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[6] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_dynamic_dependency_version

Build Misconfiguration: External Ant Dependency Repository

Abstract
此 Ant 建置 script 依賴於外部資源,會讓攻擊者將惡意程式碼插入最終的產品中,或是控制建置的機器。
Explanation
Java 開發環境中的數個工具可幫助 dependency 管理:Apache Ant 和 Apache Maven 這兩個 build system 皆包含特別用來幫助管理 dependency 的功能,而 Apache Ivy 則開發為 dependency 管理員。儘管它們的運作方式有差異,但這些工具皆共用一般的功能,即會自動下載在建立過程中所指定的外部 dependency。這樣一來,不同的開發人員要用一樣的方式來建置軟體會變得更容易。開發人員只需在建置檔中儲存 dependency 資訊,這表示每位開發人員和建置工程師都使用相同的方法來取得 dependency、編譯程式碼以及部署,不需要進行混亂的手動 dependency 管理。以下的示例說明如何在建立過程中,用 Ivy、Ant 和 Maven 來管理外部相依性。

開發人員使用 <get> 工作,在 Ant 目標中指定外部 dependency,以擷取由相應的 URL 指定的 dependency。此方法與以下情形在功能上是相同的:開發人員證明每個外部 dependency 為軟體項目中附帶的人工項目,但卻是必要的,因為它可以在執行建置時自動擷取和合併 dependency。

範例 1:以下內容來自 Ant build.xml 組態設定檔案,顯示外部 dependency 的典型參照:


<get src="http://people.apache.org/repo/m2-snapshot-repository/org/apache/openejb/openejb-jee/3.0.0-SNAPSHOT/openejb-jee-3.0.0-SNAPSHOT.jar"
dest="${maven.repo.local}/org/apache/openejb/openejb-jee/3.0.0-SNAPSHOT/openejb-jee-3.0.0-SNAPSHOT.jar"
usetimestamp="true" ignoreerrors="true"/>


兩個不同類型的攻擊情況會影響這些系統:攻擊者可能會危害控制 dependency 的伺服器,或危害 DNS 伺服器,建置機器用其來將控制 dependency 伺服器主機名稱的要求重新導向到攻擊者所控制的機器。此兩種情況都會使得攻擊者可將 dependency 的惡意版本插入到未受危害的機器上所執行的建置中。

不管攻擊者用來傳遞 Trojan dependency 的手段是什麼,這些情況都存在一種共同要素,即 build system 盲目的接受惡意的二進位程式並把它包含在建置中。因為 build system 無法拒絕惡意的二進位程式和現有的安全機制 (例如程式碼審核),所以通常會著重於內部開發的程式碼而非外部的 dependency,此類攻擊可在不易察覺的情況下傳播到開發環境並潛進產品中。

雖然手動建置過程中存在 dependency 受到危害的風險,但由於自動化 build system 有從外部來源擷取 dependency 的趨勢,使得每次 build system 在新環境中執行時,會增加攻擊者的攻擊機會。攻擊者只需在 dependency 伺服器或 DNS 伺服器擷取 dependency 時造成一次危害,便會危害執行建置的機器。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-11 User-Installed Software (P1), SC-18 Mobile Code (P2)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-11 User-Installed Software, CM-14 Signed Components, SC-18 Mobile Code
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[6] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[13] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_external_ant_dependency_repository

Build Misconfiguration: External Ivy Dependency Repository

Abstract
此 Ant 建置 script 依賴於外部資源,會讓攻擊者將惡意程式碼插入最終的產品中,或是控制建置的機器。
Explanation
Java 開發環境中的數個工具可幫助 dependency 管理:Apache Ant 和 Apache Maven 這兩個 build system 皆包含特別用來幫助管理 dependency 的功能,而 Apache Ivy 則開發為 dependency 管理員。儘管它們的運作方式有差異,但這些工具皆共用一般的功能,即會自動下載在建立過程中所指定的外部 dependency。這樣一來,不同的開發人員要用一樣的方式來建置軟體會變得更容易。開發人員只需在建置檔中儲存 dependency 資訊,這表示每位開發人員和建置工程師都使用相同的方法來取得 dependency、編譯程式碼以及部署,不需要進行混亂的手動 dependency 管理。以下的示例說明如何在建立過程中,用 Ivy、Ant 和 Maven 來管理外部相依性。

使用 Ivy 時,開發人員會指定 dependency 名稱和版本,而不是列出從中擷取 dependency 的明確 URL,Ivy 依靠其基本組態來識別要從中擷取 dependency 的伺服器。使用共同的元件使得開發人員節省了搜尋 dependency 位置的時間。

範例 1:以下來自 Ivy ivy.xml 檔案的摘錄顯示了開發人員如何使用名稱和版本來指定多個外部相依性:


<dependencies>
  <dependency org="javax.servlet"
             name="servletapi"
              rev="2.3" conf="build->*"/>
  <dependency org="javax.jms"
             name="jms"
              rev="1.1" conf="build->*"/>  ...
</dependencies>


兩個不同類型的攻擊情況會影響這些系統:攻擊者可能會危害控制 dependency 的伺服器,或危害 DNS 伺服器,建置機器用其來將控制 dependency 伺服器主機名稱的要求重新導向到攻擊者所控制的機器。此兩種情況都會使得攻擊者可將 dependency 的惡意版本插入到未受危害的機器上所執行的建置中。

不管攻擊者用來傳遞 Trojan dependency 的手段是什麼,這些情況都存在一種共同要素,即 build system 盲目的接受惡意的二進位程式並把它包含在建置中。因為 build system 無法拒絕惡意的二進位程式和現有的安全機制 (例如程式碼審核),所以通常會著重於內部開發的程式碼而非外部的 dependency,此類攻擊可在不易察覺的情況下傳播到開發環境並潛進產品中。

雖然手動建置過程中存在 dependency 受到危害的風險,但由於自動化 build system 有從外部來源擷取 dependency 的趨勢,使得每次 build system 在新環境中執行時,會增加攻擊者的攻擊機會。攻擊者只需在 dependency 伺服器或 DNS 伺服器擷取 dependency 時造成一次危害,便會危害執行建置的機器。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-11 User-Installed Software (P1), SC-18 Mobile Code (P2)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-11 User-Installed Software, CM-14 Signed Components, SC-18 Mobile Code
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[6] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[7] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[8] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[12] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[13] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_external_ivy_dependency_repository

Build Misconfiguration: External Maven Dependency Repository

Abstract
此 Maven 建置 script 依賴於外部資源,會讓攻擊者將惡意程式碼插入最終的產品中,或是控制建置的機器。
Explanation
Java 開發環境中的數個工具可幫助 dependency 管理:Apache Ant 和 Apache Maven 這兩個 build system 皆包含特別用來幫助管理 dependency 的功能,而 Apache Ivy 則開發為 dependency 管理員。儘管它們的運作方式有差異,但這些工具皆共用一般的功能,即會自動下載在建立過程中所指定的外部 dependency。這樣一來,不同的開發人員要用一樣的方式來建置軟體會變得更容易。開發人員只需在建置檔中儲存 dependency 資訊,這表示每位開發人員和建置工程師都使用相同的方法來取得 dependency、編譯程式碼以及部署,不需要進行混亂的手動 dependency 管理。以下的示例說明如何在建立過程中,用 Ivy、Ant 和 Maven 來管理外部相依性。

使用 Maven 時,開發人員會指定 dependency 名稱和版本,而不是列出從中擷取 dependency 的明確 URL,Maven 依靠其基本組態來識別要從中擷取 dependency 的伺服器。使用共同的元件使得開發人員節省了搜尋 dependency 位置的時間。

範例 1:以下來自 Maven pom.xml 檔案的摘錄顯示了開發人員如何使用名稱和版本來指定多個外部相依性:


<dependencies>
  <dependency>
    <groupId>commons-logging</groupId>
    <artifactId>commons-logging</artifactId>
    <version>1.1</version>
  </dependency>
  <dependency>
    <groupId>javax.jms</groupId>
    <artifactId>jms</artifactId>
    <version>1.1</version>
  </dependency>
  ...
</dependencies>


兩個不同類型的攻擊情況會影響這些系統:攻擊者可能會危害控制 dependency 的伺服器,或危害 DNS 伺服器,建置機器用其來將控制 dependency 伺服器主機名稱的要求重新導向到攻擊者所控制的機器。此兩種情況都會使得攻擊者可將 dependency 的惡意版本插入到未受危害的機器上所執行的建置中。

不管攻擊者用來傳遞 Trojan dependency 的手段是什麼,這些情況都存在一種共同要素,即 build system 盲目的接受惡意的二進位程式並把它包含在建置中。因為 build system 無法拒絕惡意的二進位程式和現有的安全機制 (例如程式碼審核),所以通常會著重於內部開發的程式碼而非外部的 dependency,此類攻擊可在不易察覺的情況下傳播到開發環境並潛進產品中。

雖然手動建置過程中存在 dependency 受到危害的風險,但由於自動化 build system 有從外部來源擷取 dependency 的趨勢,使得每次 build system 在新環境中執行時,會增加攻擊者的攻擊機會。攻擊者只需在 dependency 伺服器或 DNS 伺服器擷取 dependency 時造成一次危害,便會危害執行建置的機器。
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001499, CCI-001749, CCI-001812
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-5 Access Restrictions for Change (P1), CM-11 User-Installed Software (P1), SC-18 Mobile Code (P2)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-5 Access Restrictions for Change, CM-11 User-Installed Software, CM-14 Signed Components, SC-18 Mobile Code
[4] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[5] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[6] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration
[7] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[8] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[10] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 2.2.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 2.2.6
[13] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001390 CAT II, APSC-DV-001430 CAT II, APSC-DV-001440 CAT II, APSC-DV-003300 CAT II
desc.config.java.build_misconfiguration_external_maven_dependency_repository

CakePHP Misconfiguration: Debug Information

Abstract
層級 1 或更高層級的 CakePHP 除錯作業可能會記錄到敏感資料。
Explanation
可配置 CakePHP 以公開除錯資訊,資訊包含錯誤、警告、SQL 陳述式以及堆疊追蹤。生產環境中不應使用 debug information。

範例 1:

    Configure::write('debug', 3);
Configure::write() 方法的第二個參數表示除錯層級。數字越大,記錄的訊息就越詳細。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 215
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[7] Standards Mapping - FIPS200 CM
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[15] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[16] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.semantic.php.cakephp_misconfiguration_debug_information

CakePHP Misconfiguration: Excessive Session Timeout

Abstract
階段作業逾時時間過長會讓攻擊者獲得較多的時間,就可能危及使用者帳戶。
Explanation
開啟階段作業時間愈久,攻擊者威脅使用者帳戶的機率就愈大。階段作業仍為作用中時,攻擊者可能會暴力破解使用者密碼、破解使用者的無線加密金鑰,或是從開啟的瀏覽器控制階段作業。如果足夠大量的階段作業正在執行,較長的階段作業逾時時間也會導致無法釋放記憶體,最後造成阻斷服務。

範例 1:以下範例顯示使用 low 階段作業安全性配置的 CakePHP。

    Configure::write('Security.level', 'low');


Session.timeout 設定配合使用,Security.level 設定可定義階段作業的有效時間。實際階段作業逾時時間等於 Session.timeout 乘以下列其中一項倍數:

'high' = x 10
'medium' = x 100
'low' = x 300
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 613
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000879, CCI-002361, CCI-004190
[3] Standards Mapping - FIPS200 IA
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-12 Session Termination (P2), MA-4 Nonlocal Maintenance (P2)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-12 Session Termination, MA-4 Nonlocal Maintenance
[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.8.1 Single or Multi Factor One Time Verifier Requirements (L1 L2 L3), 2.8.6 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.3.1 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.2 Session Logout and Timeout Requirements (L1 L2 L3), 3.3.4 Session Logout and Timeout Requirements (L2 L3), 3.6.1 Re-authentication from a Federation or Assertion (L3), 3.6.2 Re-authentication from a Federation or Assertion (L3)
[9] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling
[10] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[11] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[12] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[15] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 8.5.15
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 8.5.15
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 8.5.15
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 8.1.8
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 8.1.8
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 8.1.8
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 8.1.8
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 8.2.8
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 8.2.8
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls, Control Objective C.2.3.2 - Web Software Access Controls
[28] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3415 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3415 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3415 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3415 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3415 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3415 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3415 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000070 CAT II, APSC-DV-000080 CAT II, APSC-DV-001980 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Session Expiration (WASC-47)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Session Expiration
desc.semantic.php.cakephp_misconfiguration_excessive_session_timeout

Castor Bad Practices: Query Mode Not Read-Only

Abstract
非唯讀的 Castor 查詢會影響效能。
Explanation
即使 Castor 在物件上建立鎖定,也無法阻止其他執行緒讀取或寫入該物件。跟預設共享模式比較起來,唯讀查詢的速度大約快了七倍。

範例 1:下列範例指定查詢模式為 SHARED,允許讀取與寫入權限。

results = query.execute(Database.SHARED);
References
[1] ExoLab Group Castor JDO - Best practice
[2] Standards Mapping - Common Weakness Enumeration CWE ID 265
[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.5 Configuration Architectural Requirements (L2 L3)
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[15] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II
desc.structural.java.castor_bad_practices_query_mode_not_read_only