1437 找到的項目

弱點

Go Bad Practices: Leftover Debug Code

Golang

Abstract

除錯程式碼可能會影響效能或洩露敏感資料給攻擊者。

Explanation

開發作業一般會為了除錯或測試目而增加一些「後門」程式碼，這些程式碼不會隨應用程式一起提供或部署。當這類除錯程式碼意外地留在應用程式中時，會導致應用程式開放在未預期的互動模式。這些後門入口點很容易造成安全問題，因為在設計或者測試期間，並沒有將它們考慮在內，並且不會出現在應用程式設計中的操作環境中。

References

[1] Standards Mapping - Common Weakness Enumeration CWE ID 489

[2] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[3] Standards Mapping - OWASP Application Security Verification Standard 4.0 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3), 14.2.2 Dependency (L1 L2 L3)

[4] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling

[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6

[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5

[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5

[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5

[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5

[12] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[15] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention

[16] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention

[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II

desc.semantic.golang.go_bad_practices_leftover_debug_code

GraphQL Bad Practices: GraphiQL Enabled

JavaScript/TypeScript
Python

Abstract

建立一個已啟用 GraphiQL 的 GraphQL 端點。

Explanation

GraphiQL 是一種瀏覽器內工具，它利用 GraphQL 結構描述自我檢查機制為 GraphQL API 開發和測試提供圖形介面。GraphiQL 可協助使用者探索 GraphQL 結構描述以及撰寫和執行 GraphQL 查詢。

不建議允許存取生產階段中的 GraphiQL，因為透過 GraphiQL 啟用 GraphQL 結構描述的自我檢查，可能會使您的整體安全態勢面臨風險。攻擊者可能使用 GraphiQL 和自我檢查從 GraphQL 結構描述中取得實作詳情，進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊，例如內部使用的欄位、描述和過時說明，這些資訊可能非供公開使用。

範例 1：以下程式碼將初始化一個預設啟用 GraphiQL 的 GraphQL.js 端點：


app.use('/graphql', graphqlHTTP({
    schema
}));

References

[1] OWASP OWASP Cheat Sheet Series: GraphQL Cheat Sheet

[2] Standards Mapping - Common Weakness Enumeration CWE ID 94

[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [18] CWE ID 094

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [17] CWE ID 094

[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [25] CWE ID 094

[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [23] CWE ID 094

[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [11] CWE ID 094

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.2.5 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.2.8 Sanitization and Sandboxing Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[15] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[16] Standards Mapping - OWASP Mobile 2024 M8 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 094

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3600 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3600 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3600 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3600 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3600 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3600 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3600 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-003300 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-003300 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-003300 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-003300 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-003300 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-003300 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-003300 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-003300 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-003300 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-003300 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-003300 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-003300 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-003300 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-003300 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-003300 CAT II

[55] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.javascript.graphql_bad_practices_graphiql_enabled

Abstract

建立一個已啟用 GraphiQL 的 GraphQL 端點。

Explanation

GraphiQL 是一種瀏覽器內工具，它利用 GraphQL 結構描述自我檢查機制為 GraphQL API 開發和測試提供圖形介面。GraphiQL 可協助使用者探索 GraphQL 結構描述，以及撰寫和執行 GraphQL 查詢。

不建議允許存取生產階段中的 GraphiQL，因為透過 GraphiQL 啟用 GraphQL 結構描述的自我檢查，可能會使您的整體安全態勢面臨風險。攻擊者可能使用 GraphiQL 和自我檢查從 GraphQL 結構描述中取得實作詳情，進而使他們能夠執行更具目標性的攻擊。GraphQL 結構描述可能會洩漏資訊，例如內部使用的欄位、描述和過時說明，這些資訊可能非供公開使用。

範例 1：以下程式碼將初始化一個已啟用 GraphiQL 的 GraphQL 端點：


app.add_url_rule('/graphql', view_func=GraphQLView.as_view(
  'graphql',
  schema = schema,
  graphiql = True
))