1437 找到的項目

弱點

Dangerous Function: xp_cmdshell

PLSQL/TSQL

Abstract

無法安全地使用 xp_cmdshell 函數。不應使用該函數。

Explanation

某些函數無論使用方法為何，都有危險性。xp_cmdshell 函數會啟動 Windows 指令 shell，以執行提供的指令字串。該指令會在預設系統或提供的代理伺服器環境中執行。但是，沒有方法可以將使用者限制為預先指定的權限操作組合，任何權限授予都會開放使用者執行任何指令字串。

References

[1] xp_cmdshell

[2] Standards Mapping - Common Weakness Enumeration CWE ID 242

[3] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[4] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control

[14] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676

[15] Standards Mapping - Web Application Security Consortium Version 2.00 OS Commanding (WASC-31)

[16] Standards Mapping - Web Application Security Consortium 24 + 2 OS Commanding

desc.semantic.sql.dangerous_function_xp_cmdshell

Dangerous Method

Java/JSP

Abstract

已將此方法註解為危險。此方法的所有用法都會標記為有問題。

Explanation

FortifyDangerous 註解已套用至此方式。會使用此方式來指出危險，而且應該檢查所有用法的安全性。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 749

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.5.1 Validate HTTP Request Header Requirements (L1 L2 L3)

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[13] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 676

desc.structural.java.dangerous_method

Dangerous Type

Java/JSP

Abstract

已將此變數的類型註解為危險。

Explanation

FortifyDangerous 註解已套用至此類型。會使用此方式來指出危險，而且應該檢查所有用法的安全性。

References

[1] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[2] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[3] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[8] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[9] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[10] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

desc.structural.java.dangerous_class_variable

Database Bad Practices: Use of Restricted Accounts

PLSQL/TSQL

Abstract

已嘗試使用以下其中一個帳戶連線至資料庫：admin、administrator、guest、root 或 sa。

Explanation

Windows Azure SQL 資料庫僅支援 SQL Server 驗證。不支援 Windows 驗證 (整合式安全性)。每次連線到 Windows Azure SQL 資料庫時，使用者都必須提供憑證 (登入和密碼)。對於 Microsoft Windows Azure SQL 資料庫一般原則和限制，不可使用以下帳戶名稱：admin、administrator、guest、root、sa。

References

[1] Security Guidelines and Limitations (Windows Azure SQL Database)

[2] Windows Azure SQL Database Concepts

[3] Transact-SQL Support (Windows Azure SQL Database)

[4] Development Considerations in Windows Azure SQL Database

[5] Managing Databases and Logins in Windows Azure SQL Database

[6] Configure and manage Azure AD authentication with Azure SQL

[7] How to: Connect to Windows Azure SQL Database Using sqlcmd

[8] Copying Databases in Windows Azure SQL Database

[9] Data Types (Windows Azure SQL Database)

[10] Deprecated Database Engine Features in SQL Server 2012

[11] EXECUTE AS (Transact-SQL)

[12] Security Statements

[13] System Stored Procedures (Windows Azure SQL Database)

[14] Guidelines and Limitations (Windows Azure SQL Database)

[15] General Guidelines and Limitations (Windows Azure SQL Database)

[16] Standards Mapping - Common Weakness Enumeration CWE ID 272

[17] Standards Mapping - Common Weakness Enumeration Top 25 2023 [22] CWE ID 269

[18] Standards Mapping - Common Weakness Enumeration Top 25 2024 [15] CWE ID 269

[19] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000381, CCI-002233, CCI-002235

[20] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[21] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1), CM-7 Least Functionality (P1)

[22] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege, CM-7 Least Functionality

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.4.3 Access Control Architectural Requirements (L2 L3), 10.2.2 Malicious Code Search (L2 L3)

[24] Standards Mapping - OWASP Mobile 2024 M1 Improper Credential Usage

[25] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 7.1.1

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 7.1.1

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 7.1.2

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 7.1.2

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 7.1.2

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 7.1.2

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 7.2.2

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 7.2.2

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.3 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.3 - Authentication and Access Control

[36] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.3 - Authentication and Access Control, Control Objective C.2.1.2 - Web Software Access Controls

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3500 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3500 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3500 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3500 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3500 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3500 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3500 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II, APSC-DV-000510 CAT I, APSC-DV-001500 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.sql.code_quality_database_authentication_use_of_restricted_accounts

Dead Code

C/C++
Solidity

Abstract

此指令將永不被執行。

Explanation

周圍的程式碼將會使此指令永不執行。

範例 1：第二個 if 陳述式的條件將無法滿足。變數 s 不能為 Null，但只能將 s 設為非 Null 值的路徑卻存在 return 陳述式。


String s = null;

if (b) {
   s = "Yes";
   return;
}

if (s != null) {
   Dead();
}

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 561

[2] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 2.1

[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 2.1

[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-1-1, Rule 0-1-2

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 0.0.1, Rule 0.0.2

[6] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.1 Input Validation Requirements (L1 L2 L3), 8.1.3 General Data Protection (L2 L3)

[7] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3050 CAT II

[8] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3050 CAT II

[9] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3050 CAT II

[10] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3050 CAT II

[11] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3050 CAT II

[12] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3050 CAT II

[13] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3050 CAT II

[14] Standards Mapping - Smart Contract Weakness Classification SWC-135

desc.internal.cpp.dead_code

Denial of Service

Abstract

攻擊者會摧毀程式或者讓合法的使用者無法使用程式。

Explanation

攻擊者能夠對應用程式發送大量要求，使其拒絕對合法使用者的服務，但大量攻擊形式通常會在網路層便被排除掉。較嚴重的問題是可讓攻擊者使用少量要求便可超載應用程式的錯誤 (bug)。此種錯誤可讓攻擊者去指定要求系統資源使用的數量，或是他們會持續使用這些系統資源而造成資源耗竭的時間。

範例 1：以下程式碼允許使用者指定目前工作程序進入睡眠的時間長度。若指定較大的數字，攻擊者可能無限期地佔用工作程序。


...
CALL FUNCTION 'ENQUE_SLEEP'
  EXPORTING
    SECONDS = usrInput.
...

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 730

[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386

[3] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14

[4] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation

[8] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[9] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)

[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[11] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[12] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation

[17] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II

[39] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[40] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.dataflow.abap.denial_of_service

Abstract

應用程式使用用戶端的遠端 IP 位址來建立 RateLimitPartition。

Explanation

根據用戶端的 IP 位址建立 RateLimitPartitions 會使應用程式容易遭受採用 IP Source Address Spoofing 的 Denial of Service 攻擊。

範例 1：在以下範例中，GetTokenBucketLimiter() 方法使用遠端 IP 位址 (RemoteIpAddress) 作為建立 RateLimitPartition 時的分割區索引鍵：


...
builder.Services.AddRateLimiter(limiterOptions => {
    limiterOptions.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, IPAddress>(context => {

        IPAddress? ip = context.Connection.RemoteIpAddress;

        return RateLimitPartition.GetTokenBucketLimiter(ip!, _ =>
            new TokenBucketRateLimiterOptions
            {
                TokenLimit = 7
            });
    });
});
...

References

[1] By Arvin Kahbazi, Maarten Balliauw, and Rick Anderson Rate limiting middleware in ASP.NET Core Microsoft

[2] P, Ferguson Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Cisco Systems

[3] Standards Mapping - Common Weakness Enumeration CWE ID 730

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094, CCI-002386

[5] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14

[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1

[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-4 Security Impact Analysis (P2), CM-6 Configuration Settings (P1), SC-5 Denial of Service Protection (P1), SI-10 Information Input Validation (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-4 Impact Analyses, CM-6 Configuration Settings, SC-5 Denial of Service Protection, SI-10 Information Input Validation

[10] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 12.1.1 File Upload Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4

[14] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.4 - Web Software Attack Mitigation

[19] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II, APSC-DV-002410 CAT II, APSC-DV-002530 CAT II, APSC-DV-002950 CAT II, APSC-DV-003320 CAT II

[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.controlflow.dotnet.asp_dotnet_core_rate_limitting_denial_of_service

Abstract

攻擊者會摧毀程式或者讓合法的使用者無法使用程式。

Explanation

攻擊者能夠對應用程式發送大量要求，使其拒絕對合法使用者的服務，但大量攻擊形式通常會在網路層便被排除掉。較嚴重的問題是可讓攻擊者使用少量要求便可超載應用程式的錯誤 (bug)。此種錯誤可讓攻擊者去指定要求系統資源使用的數量，或是他們會持續使用這些系統資源的時間。

範例 1：以下程式碼允許使用者指定目前程序進入睡眠的時間長度。若指定較大的數字，攻擊者可能無限期地佔用程序。


  unsigned int usrSleepTime = uatoi(usrInput);
  sleep(usrSleepTime);