295 找到的項目

弱點

External Content: Content Delivery Network

C#/VB.NET/ASP.NET

Abstract

如依賴 CDN 直接提供必要程式碼給使用者，可能會導致執行惡意程式碼。

Explanation

使用 CDN 來執行依賴應用程式的 JavaScript，透過從應用程式擁有的伺服器執行 JavaScript 可提供許多優點。對應用程式所有者來說，這些優勢包括增加效能並減少需要維護的程式碼。但是，應用程式假設 CDN 會傳遞安全的內容至瀏覽器中。如果攻擊者危及 CDN，則 CDN 將傳遞惡意程式碼至使用者的伺服器。應用程式無法控制使用者瀏覽器現在執行的程式碼，或者透過偵測將其視為惡意程式碼。

範例 1：藉由參照 Microsoft CDN，下列 ASPX 程式碼包含 Microsoft 的 jQuery 程式碼：


...
<script src="http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js" type="text/javascript"></script>
...

範例 2：下列 ASPX 程式碼可讓 ASP.NET 框架 Script 的要求自動重新導向至 Microsoft Ajax CDN：


...
<asp:ScriptManager
   ID="ScriptManager1"
   EnableCdn="true"
   Runat="Server" />
...

Example 2 中，ScriptManager 控制可配置其 ASPX 頁面，以便自動重新導向所有指令碼要求至適當的 CDN。

References

[1] Content Deliver Network and its Regulation The Journal of China Universities of Posts and Telecommunications

[2] Managed Content Security Delivery radware

[3] Standards Mapping - Common Weakness Enumeration CWE ID 94, CWE ID 98

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094

[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094

[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167

[10] Standards Mapping - FIPS200 SI

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)

[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.9 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 12.3.6 File Execution Requirements (L2 L3), 14.2.4 Dependency (L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[17] Standards Mapping - OWASP Top 10 2007 A3 Malicious File Execution

[18] Standards Mapping - OWASP Top 10 2010 A1 Injection

[19] Standards Mapping - OWASP Top 10 2013 A1 Injection

[20] Standards Mapping - OWASP Top 10 2017 A1 Injection

[21] Standards Mapping - OWASP Top 10 2021 A03 Injection

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.3

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[31] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094

[32] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 098

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-003300 CAT II

[56] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.semantic.dotnet.external_content_content_delivery_network

AWS Ansible Misconfiguration: Insufficient API Gateway Logging

YAML

Abstract

組態定義了一個稽核記錄不足的服務。

Explanation

若缺乏稽核記錄，將會限制偵測和回應安全相關事件的能力，並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於：
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率

References

[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet

[2] Standards Mapping - Common Weakness Enumeration CWE ID 778

[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000172

[4] Standards Mapping - FIPS200 CM

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AU-10 Non-Repudiation (P2), AU-12 Audit Generation (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AU-10 Non-Repudiation, AU-12 Audit Record Generation

[7] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[8] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[9] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[10] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[17] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II, APSC-DV-000830 CAT II

desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudFront Logging

YAML