1464 找到的項目
弱點

Unreleased Resource: Unmanaged Object

Abstract
該程式無法處置使用未管理系統資源的受管物件。
Explanation
該程式無法正確處置使用未管理系統資源的受管物件。
造成無法正確處置使用未管理系統資源的受管物件有兩種常見原因:

- 錯誤條件以及其他異常情況。
- 不確定程式的哪一部份負責釋放資源。

一小部分的受管.NET 物件子集使用未受管系統資源。.NET 的記憶體回收器可能無法以預期方法釋放原始受管物件。因此,記憶體回收器無法察覺未受管資源所消耗的記憶體,應用程式可用的記憶體就可能不足。大部分的未受管資源洩漏問題都會導致一般軟體可靠性問題,但是如果攻擊者蓄意觸發未受管資源洩漏,攻擊者就可能會藉由耗盡未受管資源集區的方式來發動 Denial of Service 攻擊。

範例 1:下列方式會從內送串流 incomingStream 建立受管 Bitmap 物件。Bitmap 會被控制並持續傳出串流 outgoingStream。決不會明確呼叫 incomingBitmapoutgoingBitmapDispose() 方法。

正常來說,您可以放心的倚賴記憶體回收器在安全的時間,為不使用未受管系統資源的受管物件進行此作業。記憶體回收器會在適合的時間呼叫 Bitmap.Dispose()。但是,該 Bitmap 物件使用稀少、未受管的系統資源。記憶體回收器可能無法在耗盡未受管資源集區之前呼叫 Dispose()


private void processBitmap(Stream incomingStream, Stream outgoingStream, int thumbnailSize)
{
	Bitmap incomingBitmap = (Bitmap)System.Drawing.Image.FromStream(incomingStream);

	bool validBitmap = validateBitmap(incomingBitmap);
	if (!validBitmap)
		throw new ValidationException(incomingBitmap);

	Bitmap outgoingBitmap = new Bitmap(incomingBitmap, new Size(thumbnailSize, thumbnailSize));
	outgoingBitmap.Save(outgoingStream, ImageFormat.Bmp);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 772
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [21] CWE ID 772
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[6] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[16] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation
[17] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404
[18] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[41] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[42] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.dotnet.unreleased_resource_unmanaged_object

Unsafe JNI

Abstract
不適當的使用 Java Native Interface(JNI),可能導致 Java 應用程式很容易受到其他語言安全性弱點的攻擊。
Explanation
當一個 Java 應用程式使用 JNI 呼叫其他程式語言所編寫的程式碼時,會出現 Unsafe JNI 錯誤。
範例 1:以下 Java 程式碼會定義一個名為 Echo 的類別。此類別使用一種原生方法,使用 C 將在主控台輸入的指令回傳給使用者。


    class Echo {
	public native void runEcho();

	static {
		System.loadLibrary("echo");
		}

	public static void main(String[] args) {
		new Echo().runEcho();
		}
}


以下 C 程式碼會定義在 Echo 類別中執行的原生方法:


#include <jni.h>
#include "Echo.h" //the java class from Example 1 compiled with javah
#include <stdio.h>

JNIEXPORT void JNICALL
Java_Echo_runEcho(JNIEnv *env, jobject obj)
{
	char buf[64];
	gets(buf);
	printf(buf);
}


因為這個範例是在 Java 中執行的,所以看起來會像是對 Buffer overflow 之類的記憶體問題完全免疫。雖然 Java 在記憶體安全方面表現良好,但是這個保護機制並不適用於使用其他語言編寫,並使用 Java 原生介面 (Java Native Interface) 存取的來源程式碼中出現的漏洞。儘管 Java 提供了記憶體保護機制,此範例中的 C 語言程式碼仍然容易產生 Buffer overflow,因為它在沒有執行任何輸入檢查的情況下就使用了 gets()

Sun Java(TM) Tutorial 提供了以下 JNI 說明 [1]:

JNI 框架可讓您的原生方法像 Java 程式碼那樣使用 Java 物件。原生方法可以建立 Java 物件 (包括陣列和字串),並接著檢查和使用這些物件來執行工作。原生方法也可以檢查和使用由 Java 應用程式程式碼所建立的物件。原生方法甚至可以更新自己建立或傳送給自己的 Java 物件,且這些更新物件皆可供 Java 應用程式使用。因此,在應用程式中,無論是原生語言還是 Java 語言都能建立、更新和存取 Java 物件,並且彼此共用這些物件。

藉由稽核原生方法實作的來源程式碼,可以輕易地偵測到 Example 1 中存在的弱點。根據是否可使用 C 來源程式碼以及專案建立的方式而定,這個方法不一定可行,但在許多情況下,它是可行的。然而,這種可以在 Java 和原生方法間共用物件的機制,會把潛在的風險擴大為更嚴重的風險。在 Java 中不當處理資料可能會導致在原生程式碼中產生無法預期的弱點,或在原生程式碼中的不安全操作可能會破壞 Java 中的資料結構。

透過 Java 應用程式存取原生程式碼出現的弱點,通常與使用原生程式碼編寫的應用程式中出現的弱點是一樣的。這種攻擊面臨的唯一挑戰是:攻擊者必須辨別 Java 應用程式是否使用原生程式碼來執行特定操作。有許多方法可以達到以上目的,其中包括辨別通常使用原生程式碼來執行的特定行為,或者利用表明使用 JNI 之 Java 應用程式中的 System Information Leak [2]。
References
[1] B. Stearns The Java Tutorial: The Java Native Interface
[2] JNI00-J. Define wrappers around native methods CERT
[3] INPUT-3: Define wrappers around native methods Oracle
[4] Standards Mapping - Common Weakness Enumeration CWE ID 111
[5] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[6] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[7] Standards Mapping - FIPS200 SI
[8] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[11] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[12] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[13] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[14] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[26] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.unsafe_jni

Unsafe JSNI

Abstract
不適當的使用 JavaScript Native Interface (JSNI) 可能導致 GWT 應用程式容易受到 JavaScript 安全性漏洞的攻擊。
Explanation
當 GWT 應用程式使用 JSNI 呼叫 javascript 程式碼時,會出現不安全的 JSNI 錯誤。
範例 1:以下 Java 程式碼會定義一個名為 Redirect 的類別。此類別會宣告一個原生的 JavaScript 方法,該方法使用 JavaScript 來變更文件位置。


import com.google.gwt.user.client.ui.UIObject;

class MyDiv {

    ...

    public static void changeName(final UIObject object, final String name) {
        changeName(object.getElement(), url);
    }

    public static native void changeName(final Element e, final String name) /*-{
        $wnd.jQuery(e).html(name);
    }-*/;

    ...
}


在此範例中,將不可信賴的資料傳遞給 JSNI 函數可能會導致遭受 DOM 型 Cross-Site Scripting 攻擊。
References
[1] JSNI Google
[2] Standards Mapping - Common Weakness Enumeration CWE ID 111
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.semantic.java.unsafe_jsni

Unsafe Mobile Code: Access Violation

Abstract
該程式從 public 存取方法中回傳 private 陣列變數,因此違反了行動程式碼的安全編碼原則。
Explanation
程式可以從 public 存取方法中回傳 private 陣列變數,透過此方式,您可以呼叫程式碼修改該陣列的內容,這可以輕易地取得陣列 public 存取權限,並阻止程式設計師將它設為 private 的計畫。

範例 1:下列 Java Applet 程式碼錯誤地從 public 存取方法回傳 private 陣列變數。


public final class urlTool extends Applet {
private URL[] urls;
public URL[] getURLs() {
	return urls;
}
	...
}


行動程式碼,在這個示例中也就是 Java Applet,是一種跨網路傳輸,並且可在遠端機器上執行的程式碼。因為行動程式碼的編寫者很難控制他們編寫的程式碼的執行環境,所以在安全上提出特別的要求是有必要的。其中一個最大的環境威脅在於,行動程式碼可以伴隨著其他的潛在惡意的行動程式碼一起運作。因為所有主流的瀏覽器會使用同一個 JVM 執行來自多個資源的程式碼,所以許多安全規範都把注意力集中在可以存取您的程式碼運行的 JVM 攻擊者,避免他們竄改您的物件狀態和運作方式。
References
[1] G. McGraw Securing Java. Chapter 7: Java Security Guidelines
[2] Standards Mapping - Common Weakness Enumeration CWE ID 495
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[4] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_access_violation

Unsafe Mobile Code: Database Access

Abstract
若 Applet 在不可信賴的環境中執行 JDBC 資料庫作業,可能會導致資料庫憑證外洩。
Explanation
依照預設,Java Applet 可開啟資料庫通往 Applet 下載來源伺服器的連線。在受信任的環境中,這項行為是受到認可的,不過在不可信賴的環境中,攻擊者可能會使用該 Applet 來獲取資料庫憑證,最後便能直接進入資料庫。
範例 1:下列程式碼顯示 Hardcoded Database Password 如何在 Applet 中進行使用。

public class CustomerServiceApplet extends JApplet
{
    public void paint(Graphics g)
    {
        ...
        conn = DriverManager.getConnection ("jdbc:mysql://db.example.com/customerDB", "csr", "p4ssw0rd");
        ...


由於 Applet 程式碼下載到用戶端,因此具有強制編碼 JDBC 憑證的 Applet 使用者可輕易發現憑證。此外,若透過未加密的通道進行資料庫連線,則任何能夠攔截網路流量的使用者也可取得憑證。最後,若允許使用者直接連線到資料庫,可公開存取的資料庫伺服器將顯露無遺,這樣一來,攻擊者便會把該資料庫做為直接網路攻擊的目標。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 305
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [13] CWE ID 287
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[22] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[38] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_database_access

Unsafe Mobile Code: Inner Class

Abstract
程式違反行動程式碼的安全編碼原則,因為使用了 inner class。
Explanation
由於 Inner class 轉譯成 Java 位元程式碼的方式,導致它會帶來一些安全性問題。在 Java 原始程式碼中,inner class 只能由一個封裝類別來聲明它是可存取的,但是 Java 位元組程式碼並沒有 inner class 的概念,所以編譯器必須把一個 inner class 的聲明轉換成與 package 有同等地位的類別 (有權存取來源外部類別)。由於 inner class 可以存取在封裝類別中的 private 欄位,一旦某個 inner class 成為在位元組碼中的同等類別時,此編譯器會把 inner class 所存取的 private 欄位轉換成 protected 欄位,這一點具有潛在的危險性。

範例 1:以下的 Java Applet 程式碼使用 inner class 的方法錯誤。


public final class urlTool extends Applet {
private final class urlHelper {
	...
}
	...
}


行動程式碼,在這個示例中也就是 Java Applet,是一種跨網路傳輸,並且可在遠端機器上執行的程式碼。因為行動程式碼的編寫者很難控制他們編寫的程式碼的執行環境,所以在安全上提出特別的要求是有必要的。其中一個最大的環境威脅在於,行動程式碼可以伴隨著其他的潛在惡意的行動程式碼一起運作。因為所有主流的瀏覽器會使用同一個 JVM 執行來自多個資源的程式碼,所以許多安全規範都把注意力集中在可以存取您的程式碼運行的 JVM 攻擊者,避免他們竄改您的物件狀態和運作方式。
References
[1] G. McGraw Securing Java. Chapter 7: Java Security Guidelines
[2] Standards Mapping - Common Weakness Enumeration CWE ID 492
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_inner_class

Unsafe Mobile Code: Public finalize() Method

Abstract
程式聲明 finalize() 方法 public,因此違反了行動程式碼的安全編碼原則。
Explanation
finalize() 的執行中呼叫 super.finalize(),否則請勿明確地呼叫 finalize。在行動程式碼中,易於發生錯誤的手動垃圾收集操作會威脅系統的安全,由於 finalize() 的聲明中包含對 public 的存取,因此會造成攻擊者的惡意呼叫。如果您按照 finalize() 的設計來使用它,則應首先聲明 finalize() 包含 protected 的存取權。

範例 1:下列 Java Applet 程式碼錯誤地聲明了一個 public finalize() 方法。


public final class urlTool extends Applet {
public void finalize() {
	...
}
	...
}


行動程式碼,在這個示例中也就是 Java Applet,是一種跨網路傳輸,並且可在遠端機器上執行的程式碼。因為行動程式碼的編寫者很難控制他們編寫的程式碼的執行環境,所以在安全上提出特別的要求是有必要的。其中一個最大的環境威脅在於,行動程式碼可以伴隨著其他的潛在惡意的行動程式碼一起運作。因為所有主流的瀏覽器會使用同一個 JVM 執行來自多個資源的程式碼,所以許多安全規範都把注意力集中在可以存取您的程式碼運行的 JVM 攻擊者,避免他們竄改您的物件狀態和運作方式。
References
[1] G. McGraw Securing Java. Chapter 7: Java Security Guidelines
[2] MET12-J. Do not use finalizers CERT
[3] Standards Mapping - Common Weakness Enumeration CWE ID 583
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_public_finalize_method

Unsafe Mobile Code: Unsafe Array Declaration

Abstract
程式聲明陣列 publicfinalstatic,因此違反了行動程式碼的安全編碼原則。
Explanation
在大多數情況下,把一個陣列聲明為 publicfinalstatic 是一個錯誤 (bug)。由於陣列是一個可變的物件,因此 final 限制會要求陣列物件本身只能被分配一次,但是不能保證陣列的元件的值也是如此。由於陣列是公用的,因此惡意的程式可以變更儲存在陣列中的值。所以,在大多數情況下,應該將陣列設定為 private

範例 1:下列 Java Applet 程式碼錯誤地將一個陣列聲明為 publicfinalstatic


public final class urlTool extends Applet {
public final static URL[] urls;
	...
}


行動程式碼,在這個示例中也就是 Java Applet,是一種跨網路傳輸,並且可在遠端機器上執行的程式碼。因為行動程式碼的編寫者很難控制他們編寫的程式碼的執行環境,所以在安全上提出特別的要求是有必要的。其中一個最大的環境威脅在於,行動程式碼可以伴隨著其他的潛在惡意的行動程式碼一起運作。因為所有主流的瀏覽器會使用同一個 JVM 執行來自多個資源的程式碼,所以許多安全規範都把注意力集中在可以存取您的程式碼運行的 JVM 攻擊者,避免他們竄改您的物件狀態和運作方式。
References
[1] G. McGraw Securing Java. Chapter 7: Java Security Guidelines
[2] Standards Mapping - Common Weakness Enumeration CWE ID 582
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[15] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_unsafe_array_declaration

Unsafe Mobile Code: Unsafe Public Field

Abstract
程式聲明成員變數 public,而不是 final,因此違反了行動程式碼的安全編碼原則。
Explanation
在 Applet 和其所使用的類別中,所有 public 成員變數都應該聲明 final,以避免攻擊者未經授權竄改或取得對 Applet 內部狀態的存取權。

範例 1:下列 Java Applet 程式碼錯誤地把成員變數聲明為 public,而不是 final


public final class urlTool extends Applet {
public URL url;
	...
}


行動程式碼,在這個示例中也就是 Java Applet,是一種跨網路傳輸,並且可在遠端機器上執行的程式碼。因為行動程式碼的編寫者很難控制他們編寫的程式碼的執行環境,所以在安全上提出特別的要求是有必要的。其中一個最大的環境威脅在於,行動程式碼可以伴隨著其他的潛在惡意的行動程式碼一起運作。因為所有主流的瀏覽器會使用同一個 JVM 執行來自多個資源的程式碼,所以許多安全規範都把注意力集中在可以存取您的程式碼運行的 JVM 攻擊者,避免他們竄改您的物件狀態和運作方式。
References
[1] G. McGraw Securing Java. Chapter 7: Java Security Guidelines
[2] MUTABLE-8: Define wrapper methods around modifiable internal state Oracle
[3] Standards Mapping - Common Weakness Enumeration CWE ID 493
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165
[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)
[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[14] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[15] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[16] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[17] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[18] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[19] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[20] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[21] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[22] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[23] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[24] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[25] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[26] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[27] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II
[32] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)
desc.structural.java.unsafe_mobile_code_unsafe_public_field

Unsafe Native Invoke

Abstract
不適當的使用 Platform Invocation Services 可能導致受管的應用程式很容易受到其他語言安全性漏洞的攻擊。
Explanation
當一個受管應用程式使用 P/Invoke 呼叫其他程式語言所編寫的原生(未受管)程式碼時,會出現 Unsafe Native Invoke 錯誤。

範例 1:以下 C# 程式碼會定義一個名為 Echo 的類別。此類別使用一種原生方法,使用 C 將在主控台輸入的指令回傳給使用者。


class Echo
{
  [DllImport("mylib.dll")]
  internal static extern void RunEcho();

  static void main(String[] args)
  {
    RunEcho();
  }
}


以下 C 程式碼會定義在 Echo 類別中執行的原生方法:


#include <stdio.h>

void __stdcall RunEcho()
{
  char* buf = (char*) malloc(64 * sizeof(char));
  gets(buf);
  printf(buf);
}


因為 Echo 是在受管程式碼中執行的,所以看起來會像是對 Buffer overflow 弱點之類的記憶體問題完全免疫。雖然受管環境在維護記憶體作業安全上效果良好,但此防護並未延伸到使用 P/Invoke 存取的原生程式碼中所發生的弱點。儘管受管執行階段環境提供了記憶體保護機制,此範例中的原生程式碼仍然容易產生 Buffer overflow,因為它在沒有對輸入執行任何範圍檢查的情況下就使用了 gets()。此外,buf 雖被分配但並未空出,因此是記憶體洩露。

藉由稽核原生方法實作的來源程式碼,可以輕易地偵測到 Example 1 中存在的弱點。根據是否可使用來源程式碼以及專案建立的方式而定,這個方法不一定可行,但在許多情況下,它是可行的。然而,這種可以在受管與原生環境間共用物件的機制,會把潛在的風險擴大為更嚴重的風險。在受管程式碼中不當處理資料可能會導致在原生程式碼中產生無法預期的弱點,或導致在原生程式碼中的不安全操作,造成受管程式碼中的資料結構毀損。

透過受管應用程式存取原生程式碼出現的弱點,通常與使用原生程式碼編寫的應用程式中出現的弱點是一樣的。這種攻擊面臨的唯一挑戰是:攻擊者必須辨別受管應用程式是否使用原生程式碼來執行特定操作。有許多方法可以達到以上目的,其中包括辨別通常使用原生程式碼來執行的特定行為,或者利用表明使用 P/Invoke 之受管應用程式中的 System Information Leak。
References
[1] How to: Call Native DLLs from Managed Code Using PInvoke
[2] Standards Mapping - Common Weakness Enumeration CWE ID 111
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[9] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[10] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[11] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1
[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[23] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I
[24] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I
[25] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I
[26] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I
[27] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I
[28] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I
[29] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I
[30] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[31] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[32] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[33] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[34] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.unsafe_native_invoke

Unsafe Reflection

Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

範例 1:程式設計師使用反映技術的常見原因是為了執行自己的指令發送器。以下範例顯示沒有使用反映功能的指令發送器:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    if (ctl == "Add) {
      ao = new AddCommand();
    } else if (ctl == "Modify") {
      ao = new ModifyCommand();
    } else {
      throw new UnknownActionError();
    }
    ao.doAction(params);


程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
    ao = new cmdClass();
    ao.doAction(params);


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者個體化所有會執行 Worker 介面的物件。如果指令發送器仍然負責 Access Control,那麼無論程式設計師何時建立執行 Worker 介面的新類別,他們都必須記得要去修改發送器的 Access Control 程式碼。如果他們無法修改 Access Control 程式碼,那麼部分 Worker 類別將不會擁有任何 Access Control 權限。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


    var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
    var ctl:String = String(params["ctl"]);
    var ao:Worker;
    var cmdClass:Class = getDefinitionByName(ctl + "Command") as Class;
    ao = new cmdClass();
    ao.checkAccessControl(params);
    ao.doAction(params);


雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.actionscript.unsafe_reflection
Abstract
允許未經驗證的輸入決定 Continuation 物件的回呼方法,可能會在應用程式中建立意外的控制流程路徑,從而可能繞過安全檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非預期的控制流程路徑。這可能讓攻擊者避開驗證或存取控制檢查,或者使得應用程式以無法預期的方式運作。

範例 1:以下動作方法向外部 Web 服務發起非同步要求,並設定 continuationMethod 屬性,決定收到回應時要呼叫的方法名稱。

public Object startRequest() {
    Continuation con = new Continuation(40);

    Map<String,String> params = ApexPages.currentPage().getParameters();

    if (params.containsKey('contMethod')) {
        con.continuationMethod = params.get('contMethod');
    } else {
        con.continuationMethod = 'processResponse';
    }

    HttpRequest req = new HttpRequest();
    req.setMethod('GET');
    req.setEndpoint(LONG_RUNNING_SERVICE_URL);
    this.requestLabel = con.addHttpRequest(req);
    return con;
}

此實作會允許透過執行階段要求參數設定 continuationMethod 屬性,進而讓攻擊者能呼叫與名稱相符的任何函數。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.apex.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

範例 1:程式設計師通常使用反映功能來執行指令發送器。以下範例顯示沒有使用反映功能的指令發送器:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (String.Compare(ctl,"Add") = 0) Then
        ao.DoAddCommand(Request)
Else If (String.Compare(ctl,"Modify") = 0) Then
        ao.DoModifyCommand(Request)
Else
        App.EventLog("No Action Found", 4)
End If
...


程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
CallByName(ao, ctl, vbMethod, Request)
...


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者呼叫所有由 Worker 物件執行的方法。如果指令發送器負責 Access Control,那麼無論程式設計師何時在 Worker 類別內建立新方法,他們都必須記得要修改發送器的 Access Control 邏輯。如果此 Access Control 邏輯已經過時,部份的 Worker 方法將不會擁有任何 Access Control。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


...
Dim ctl As String
Dim ao As New Worker()
ctl = Request.Form("ctl")
If (ao.checkAccessControl(ctl,Request) = True) Then
        CallByName(ao, "Do" & ctl & "Command", vbMethod, Request)
End If
...


雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.dotnet.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。

如果攻擊者可能將檔案上傳到應用程式的路徑或者程式庫路徑中的位置,那麼會導致應用程式陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
範例 1:程式設計師使用反映 API 的常見原因是為了實作自己的指令發送器。以下範例顯示使用反映的 JNI 指令發送器從 CGI 要求中讀取數值來執行 Java 方法。執行此程式碼使得攻擊者可以呼叫任何在 clazz 中的函數。


char* ctl = getenv("ctl");
...
jmethodID mid = GetMethodID(clazz, ctl, sig);
status = CallIntMethod(env, clazz, mid, JAVA_ARGS);
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.cpp.unsafe_reflection
Abstract
在執行期間轉譯使用者所控制的指令,可讓攻擊者執行惡意程式碼。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要叫用的方法或要擷取的欄位值,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流程路徑。此攻擊媒介可能讓攻擊者避開驗證或存取控制檢查,或以其他方式讓應用程式以無法預期的方式運作。

範例 1:在此範例中,應用程式會從指令行引數中擷取要呼叫的函數名稱。


...
    func beforeExampleCallback(scope *Scope){
        input := os.Args[1]
        if input{
            scope.CallMethod(input)
        }
    }
...
範例 2:在此範例中,應用程式使用 reflect 套件,從指令行引數中擷取要呼叫的函數名稱。

...
    input := os.Args[1]
	var worker WokerType
	reflect.ValueOf(&worker).MethodByName(input).Call([]reflect.Value{})
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.golang.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

如果攻擊者可能將檔案上傳到應用程式的類別路徑中的位置,或將新項目新增到應用程式的類別路徑,則將導致應用程式陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
範例 1:程式設計師使用反映 API 的常見原因是為了實作自己的指令發送器。以下範例顯示沒有使用反映功能的指令發送器:


String ctl = request.getParameter("ctl");
Worker ao = null;
if (ctl.equals("Add")) {
  ao = new AddCommand();
} else if (ctl.equals("Modify")) {
  ao = new ModifyCommand();
} else {
  throw new UnknownActionError();
}
ao.doAction(request);


程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


    String ctl = request.getParameter("ctl");
    Class cmdClass = Class.forName(ctl + "Command");
    Worker ao = (Worker) cmdClass.newInstance();
    ao.doAction(request);


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者個體化所有會執行 Worker 介面的物件。如果指令發送器仍然負責 Access Control,那麼無論程式設計師何時建立執行 Worker 介面的新類別,他們都必須記得要去修改發送器的 Access Control 程式碼。如果他們無法修改 Access Control 程式碼,那麼部分 Worker 類別將不會擁有任何 Access Control 權限。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


String ctl = request.getParameter("ctl");
Class cmdClass = Class.forName(ctl + "Command");
Worker ao = (Worker) cmdClass.newInstance();
ao.checkAccessControl(request);
ao.doAction(request);


雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。

這段程式碼同時也突顯出另一個關於使用反映功能建立指令發送器的安全問題。攻擊者可能為任意物件類型叫用預設建構函式。實際上,攻擊者甚至不會受限於實作 Worker 介面的物件;攻擊者可以叫用系統中任何物件的預設建構函式。如果物件不實作 Worker 介面,將會在指派到 ao 之前拋出 ClassCastException。但是如果建構函式執行了有利於攻擊者的作業,則傷害可能已經造成。雖然這種情況在簡易的應用程式中的影響相對不大,但是對於日趨複雜的較大型應用程式而言,做出攻擊者可以找到一個建構函式來作為攻擊一部分的假設也十分合理。

如果使用即時呼叫者的類別載入器檢查執行工作的特定 Java API,是針對反映呼叫返回的不可信賴物件而叫用,存取檢查可能會在程式碼執行鏈中進一步受到危害。這些 Java API 會略過 SecurityManager 檢查,確保執行鏈中的所有呼叫者都具備必要的安全權限。請注意,應確保不針對反映呼叫返回的不可信賴物件叫用這些 API,因為他們會略過安全存取檢查,從而使系統易於受遠端攻擊者的攻擊。如需有關這些 Java API 的詳細資訊,請參閱適用於 Java 程式語言的安全編碼規範之第 9 條。
References
[1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
[2] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.java.unsafe_reflection
Abstract
攻擊者能夠控制 performSelector 方法的引數,這會讓他們透過應用程式建立非預期的控制流路徑,這可能會避開安全檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。

範例 1:程式設計師使用選取器 API 的常見原因是為了執行自己的指令發送器。以下範例顯示使用反映的 Objective-C 指令發送器從自訂 URL 架構要求中讀取一個數值來執行任意方法。執行此程式碼可讓攻擊者呼叫任何符合 UIApplicationDelegate 類別中定義之方法簽章的函數。


...
- (BOOL)application:(UIApplication *)application openURL:(NSURL *)url
  sourceApplication:(NSString *)sourceApplication annotation:(id)annotation  {

    NSString *query = [url query];
    NSString *pathExt = [url pathExtension];
    [self performSelector:NSSelectorFromString(pathExt) withObject:query];
...
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.objc.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

如果攻擊者可能將檔案上傳到應用程式的類別路徑中的位置,或將新項目新增到應用程式的類別路徑,則將導致應用程式陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
範例 1:程式設計師使用反映 API 的常見原因是為了實作自己的指令發送器。以下範例顯示沒有使用反映功能的指令發送器:


$ctl = $_GET["ctl"];
$ao = null;
if (ctl->equals("Add")) {
  $ao = new AddCommand();
} else if ($ctl.equals("Modify")) {
  $ao = new ModifyCommand();
} else {
  throw new UnknownActionError();
}
$ao->doAction(request);


程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


    $ctl = $_GET["ctl"];
    $args = $_GET["args"];
    $cmdClass = new ReflectionClass(ctl . "Command");
    $ao = $cmdClass->newInstance($args);
    $ao->doAction(request);


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者個體化所有會執行 Worker 介面的物件。如果指令發送器仍然負責 Access Control,那麼無論程式設計師何時建立執行 Worker 介面的新類別,他們都必須記得要去修改發送器的 Access Control 程式碼。如果他們無法修改 Access Control 程式碼,那麼部分 Worker 類別將不會擁有任何 Access Control 權限。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


	$ctl = $_GET["ctl"];
    $args = $_GET["args"];
    $cmdClass = new ReflectionClass(ctl . "Command");
    $ao = $cmdClass->newInstance($args);
	$ao->checkAccessControl(request);
	ao->doAction(request);


雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。

這段程式碼同時也突顯出另一個關於使用反映功能建立指令發送器的安全問題。攻擊者可能為任意物件類型叫用預設建構函式。實際上,攻擊者甚至不會受限於實作 Worker 介面的物件;攻擊者可以叫用系統中任何物件的預設建構函式。如果物件不實作 Worker 介面,將會在指派到 $ao 之前拋出 ClassCastException。但是如果建構函式執行了有利於攻擊者的作業,則傷害可能已經造成。雖然這種情況在簡易的應用程式中的影響相對不大,但是對於日趨複雜的較大型應用程式而言,做出攻擊者可以找到一個建構函式來作為攻擊一部分的假設也十分合理。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.php.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

如果攻擊者可能將檔案上傳到應用程式的類別路徑中的位置,或將新項目新增到應用程式的類別路徑,則將導致應用程式陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.python.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開驗證或存取控制檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

如果攻擊者可能將檔案上傳到應用程式載入路徑所在的位置,或者新增項目到應用程式的載入路徑,那麼這個情況將會陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
範例 1:程式設計師使用反映的常見原因是為了執行自己的指令發送器。以下範例顯示沒有使用反映功能的指令發送器:


ctl = req['ctl']
if ctl=='add'
  addCommand(req)
elsif ctl=='modify'
  modifyCommand(req)
else
  raise UnknownCommandError.new
end


程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


ctl = req['ctl']
ctl << "Command"
send(ctl)


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

不過,這樣的修改方式會讓攻擊者執行所有以字 "Command" 結束的方法。如果指令發送器仍然負責存取控制,那麼無論程式設計師何時建立以 "Command" 結束的新方法,他們都必須記得要去修改發送器的存取控制程式碼。即使這樣,如果您有多個命名類似的方法,常見的作法是使用 define_method() 動態建立這些方法,或可透過取代 missing_method() 來呼叫這些方法。很難稽核和追蹤這些方法以及存取控制程式碼與之搭配使用的方式,考慮執行這些作業的時間取決於載入的其他程式庫程式碼,因此,想要以此種方式正確地執行這些作業更是難上加難。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.ruby.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開驗證或存取控制檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

如果攻擊者可能將檔案上傳到應用程式的類別路徑中的位置,或將新項目新增到應用程式的類別路徑,則將導致應用程式陷入完全的困境。無論是以上哪種情況,攻擊者可能使用反映作用,將新的、可能的惡意行為引入應用程式。
範例 1:程式設計師使用反映 API 的常見原因是為了實作自己的指令發送器。以下範例顯示使用反映功能的指令發送器:


def exec(ctl: String) = Action { request =>
    val cmdClass = Platform.getClassForName(ctl + "Command")
    Worker ao = (Worker) cmdClass.newInstance()
    ao.doAction(request)
    ...
}


乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者個體化所有會實作 Worker 介面的物件。如果指令發送器仍然負責存取控制,則無論程式設計師何時建立實作 Worker 介面的新類別,他們都必須記得要去修改發送器的存取控制程式碼。如果他們無法修改存取控制程式碼,則部分 Worker 類別將不會擁有任何存取控制。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


def exec(ctl: String) = Action { request =>
    val cmdClass = Platform.getClassForName(ctl + "Command")
    Worker ao = (Worker) cmdClass.newInstance()
    ao.checkAccessControl(request);
    ao.doAction(request)
    ...
}


雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。

這段程式碼同時也突顯出另一個關於使用反映功能建立指令發送器的安全問題。攻擊者可能為任意物件類型叫用預設建構函式。實際上,攻擊者甚至不會受限於實作 Worker 介面的物件;攻擊者可以叫用系統中任何物件的預設建構函式。如果物件不實作 Worker 介面,將會在指派到 ao 之前拋出 ClassCastException。但是如果建構函式執行了有利於攻擊者的作業,則傷害可能已經造成。雖然這種情況在簡易的應用程式中的影響相對不大,但是對於日趨複雜的較大型應用程式而言,做出攻擊者可以找到一個建構函式來作為攻擊一部分的假設也十分合理。

如果使用即時呼叫者的類別載入器檢查執行工作的特定 Java API,是針對反映呼叫返回的不可信賴物件而叫用,存取檢查可能會在程式碼執行鏈中進一步受到危害。這些 Java API 會略過 SecurityManager 檢查,確保執行鏈中的所有呼叫者都具備必要的安全權限。請注意,應確保不針對反映呼叫返回的不可信賴物件叫用這些 API,因為他們會略過安全存取檢查,從而使系統易於受遠端攻擊者的攻擊。如需有關這些 Java API 的詳細資訊,請參閱適用於 Java 程式語言的安全編碼規範之第 9 條。
References
[1] Secure Coding Guidelines for the Java Programming Language, Version 4.0
[2] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[5] Standards Mapping - FIPS200 SI
[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[15] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[16] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[17] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[22] Standards Mapping - OWASP Top 10 2021 A03 Injection
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[58] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.scala.unsafe_reflection
Abstract
攻擊者能夠控制 performSelector 方法的引數,這會讓他們透過應用程式建立非預期的控制流路徑,這可能會避開安全檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。

範例 1:程式設計師使用選取器 API 的常見原因是為了執行自己的指令發送器。以下範例顯示使用反映的 Swift 指令發送器從自訂 URL 架構要求中讀取一個數值來執行任意方法。執行此程式碼可讓攻擊者呼叫任何符合 UIApplicationDelegate 類別中定義之方法簽章的函數。


func application(app: UIApplication, openURL url: NSURL, options: [String : AnyObject]) -> Bool {
    ...
    let query = url.query
    let pathExt = url.pathExtension
    let selector = NSSelectorFromString(pathExt!)
    performSelector(selector, withObject:query)
    ...
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.swift.unsafe_reflection
Abstract
攻擊者可透過應用程式建立無法預期的控制流路徑,而這有可能會避開安全性檢查。
Explanation
如果攻擊者可以提供值,且應用程式會使用這些值來決定要個體化的類別或要叫用的方法,那麼攻擊者就可能可以透過應用程式,建立非應用程式開發者指定的控制流路徑。這種攻擊途徑可能會讓攻擊者避開 Authentication 或 Access Control 檢查,或者使得應用程式以無法預期的方式運作。即使可以控制傳送給指定方法或建構函式的引數,老謀深算的攻擊者還是可能會取得成功發動攻擊的必要條件。

範例 1:程式設計師使用 CallByName 的常見原因是為了執行自己的指令發送器。下列範例顯示不使用 CallByName 函數的指令發送器:


...
Dim ctl As String
Dim ao As new Worker
ctl = Request.Form("ctl")
If String.Compare(ctl,"Add") = 0 Then
	ao.DoAddCommand Request
Else If String.Compare(ctl,"Modify") = 0 Then
	ao.DoModifyCommand Request
Else
	App.EventLog "No Action Found", 4
End If
...



程式設計師可能會將這段程式碼修改為以下內容,以使用反映功能:


...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
CallByName ao, ctl, vbMethod, Request
...




乍看之下,修改程式碼似乎能提供許多好處。程式碼的行數較少,if/else 區塊已完全刪除,且現在可以在不修改指令發送器的情況下增加新的指令類型。

但是,這樣的修改方式會讓攻擊者呼叫所有由 Worker 物件執行的方法。如果指令發送器仍然負責 access control,那麼無論程式設計師何時在 Worker 類別內建立新方法,他們都必須記得要去修改發送器的 access control 程式碼。如果他們無法修改 access control 程式碼,那麼部分 Worker 方法將不會擁有任何 access control 權限。

處理存取控制問題的其中一個方法,就是讓 Worker 物件負責執行存取控制檢查。重新修改的程式碼的範例如下:


...
Dim ctl As String
Dim ao As Worker
ctl = Request.Form("ctl")
If ao.checkAccessControl(ctl,Request) = True Then
	CallByName ao, "Do" & ctl & "Command", vbMethod, Request
End If
...



雖然有所改善,但是它鼓勵使用分散式方法來進行 Access Control,這會使程式設計師更容易犯下 Access Control 的錯誤。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 470, CWE ID 494
[2] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001764, CCI-001774, CCI-002754
[4] Standards Mapping - FIPS200 SI
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 1.3
[7] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Directive 4.14, Rule 1.3
[8] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 0-3-1
[9] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 4.1.3
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 CM-7 Least Functionality (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 CM-7 Least Functionality, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.14.2 Configuration Architectural Requirements (L2 L3), 10.3.2 Deployed Application Integrity Controls (L1 L2 L3), 12.3.3 File Execution Requirements (L1 L2 L3), 14.2.3 Dependency (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection
[14] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation
[15] Standards Mapping - OWASP Mobile Application Security Verification Standard 2.0 MASVS-CODE-4
[16] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input
[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference
[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References
[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References
[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control
[21] Standards Mapping - OWASP Top 10 2021 A03 Injection
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[33] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.2.3 - Web Software Access Controls, Control Objective C.3.2 - Web Software Attack Mitigation, Control Objective C.3.5 - Web Software Attack Mitigation
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3570 CAT I
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3570 CAT I
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3570 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3570 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3570 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3570 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3570 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I
[57] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)
desc.dataflow.vb.unsafe_reflection

Use After Free

Abstract
在記憶體釋出後參照記憶體,可能會導致程式當機。
Explanation
當程式繼續使用已釋放的指標時,就會產生 Use after free 錯誤。就像 double free 錯誤和記憶體洩露錯誤一樣,use after free 錯誤有以下兩種情況,有時這兩張情況會同時發生:

- 錯誤條件以及其他異常情況。

- 對於程式中負責釋放記憶體的部分混淆了。

Use after free 錯誤有時對程式來說是沒有任何影響的,但有時它會造成程式當機。目前,在技術上對釋放的記憶體空間進行重新分配是可行的,並且已被攻擊者所利用,發動了 Buffer overflow 攻擊,而我們對此類的攻擊不會有任何的察覺。

範例 1:以下程式碼舉例說明了 use after free 錯誤:


char* ptr = (char*)malloc (SIZE);
...
if (err) {
    abrt = 1;
    free(ptr);
}
...
if (abrt) {
    logError("operation aborted before commit", ptr);
}
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 416
[2] Standards Mapping - Common Weakness Enumeration Top 25 2019 [1] CWE ID 119, [7] CWE ID 416
[3] Standards Mapping - Common Weakness Enumeration Top 25 2020 [5] CWE ID 119, [8] CWE ID 416
[4] Standards Mapping - Common Weakness Enumeration Top 25 2021 [7] CWE ID 416, [17] CWE ID 119
[5] Standards Mapping - Common Weakness Enumeration Top 25 2022 [7] CWE ID 416, [19] CWE ID 119
[6] Standards Mapping - Common Weakness Enumeration Top 25 2023 [4] CWE ID 416, [17] CWE ID 119
[7] Standards Mapping - Common Weakness Enumeration Top 25 2024 [8] CWE ID 416, [12] CWE ID 020, [20] CWE ID 119
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2012 Rule 21.3
[11] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C Guidelines 2023 Rule 21.3
[12] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2008 Rule 18-4-1
[13] Standards Mapping - Motor Industry Software Reliability Association (MISRA) C++ Guidelines 2023 Rule 21.6.1
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection
[16] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service
desc.controlflow.cpp.use_after_free

User or System Dependent Program Flow

Abstract
依賴於使用者或系統的程式流是一種不良的程式設計作法,可能會產生後門程式。
Explanation
SAP 系統提供廣泛的授權配置與存取管理。也可使用系統級的配置來依據系統角色限制權限。總之,這些功能使得依賴於使用者或系統的程式變得無關。也就是說,在以安全方法設定的客戶生產力系統中,不可存在程式功能依賴於執行此程式的使用者或於其上執行此程式的系統的情形。查詢使用者或系統詳細資料以影響程式流是一種不良作法,可能會產生後門程式。
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 285, CWE ID 912
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002235
[3] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[4] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)
[5] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege
[6] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000500 CAT II
[7] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000500 CAT II
[8] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000500 CAT II
[9] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000500 CAT II
desc.structural.abap.user_system_dependent_flow

Value Shadowing

Abstract
此程式以不明確的方式存取變數,這可會使程式易受到攻擊。
Explanation
HttpRequest 類別以陣列存取形式 (例如 Request["myParam"]) 提供對 QueryStringFormCookiesServerVariables 集合中變數的程式化存取。存在多個名稱相同的變數時,.NET Framework 會傳回在集合中以下列順序搜尋時第一個出現的變數值:QueryStringFormCookies,然後 ServerVariables。因為 QueryString 依搜尋順序第一個出現,因此 QueryString 參數可以取代表單、Cookie 及伺服器變數的值。同樣地,表單值可以取代 CookiesServerVariables 集合中的變數,而 Cookies 集合的變數可取代 ServerVariables 的變數。
範例 1:想像一個金融應用程式暫時在 Cookie 中儲存使用者的電子郵件地址,並當要聯絡使用者時讀取此值。以下程式碼讀取 Cookie 值並將帳戶餘額傳送到指定的電子郵件地址。

...
    String toAddress = Request["email"];        //Expects cookie value
    Double balance = GetBalance(userID);
    SendAccountBalance(toAddress, balance);
...

假設在造訪 http://www.example.com/GetBalance.aspx 時執行 Example 1 中的程式碼。若攻擊者能夠使通過驗證的使用者按下要求 http://www.example.com/GetBalance.aspx?email=evil%40evil.com 的連結,則含有使用者帳戶餘額的電子郵件將會送往 evil@evil.com
References
[1] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[2] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[3] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[4] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[13] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[14] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II
desc.semantic.dotnet.value_shadowing

Value Shadowing: Server Variable

Abstract
此程式以不明確的方式存取伺服器變數,這可會使程式易受到攻擊。
Explanation
HttpRequest 類別以陣列存取形式 (例如 Request["myParam"]) 提供對 QueryStringFormCookiesServerVariables 集合中變數的程式化存取。存在多個名稱相同的變數時,.NET Framework 會傳回在集合中以下列順序搜尋時第一個出現的變數值:QueryStringFormCookies,然後 ServerVariables。因為 QueryString 依搜尋順序第一個出現,因此 QueryString 參數可以取代表單、Cookie 及伺服器變數的值。同樣地,表單值可以取代 CookiesServerVariables 集合中的變數,而 Cookies 集合的變數可取代 ServerVariables 的變數。
範例 1:以下程式碼檢查 HTTP Referer 表頭伺服器變數,以確認要求在提供內容前是否來自於 www.example.com

    ...
    if (Request["HTTP_REFERER"].StartsWith("http://www.example.com"))
        ServeContent();
    else
        Response.Redirect("http://www.example.com/");
    ...


假設在造訪 http://www.example.com/ProtectedImages.aspx 時執行 Example 1 中的程式碼。若攻擊者對 URL 做一個直接的要求,則不會設定適當的 Referer 表頭,而要求將失敗。不過,若攻擊者以必要值提交偽造 HTTP_REFERER 參數 (如 http://www.example.com/ProtectedImages.aspx?HTTP_REFERER=http%3a%2f%2fwww.example.com),則查詢將從 QueryString 傳回值,而不是 ServerVariables,同時檢查也將成功。
References
[1] Microsoft IIS Server Variables
[2] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310
[3] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[4] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[5] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6
[6] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[11] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection
[12] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation
[13] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation
[14] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II
[15] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002530 CAT II
[16] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002530 CAT II
desc.semantic.dotnet.value_shadowing_server_variable

WCF Misconfiguration: Anonymous Message Client

Abstract
缺少 Authentication 表示任何人皆可存取此服務。
Explanation
若服務不會對用戶端進行驗證,則所有的造訪者都可存取該服務。

References
[1] Common Security Scenarios Microsoft
[2] Message Security with an Anonymous Client Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_anonymous_message_client

WCF Misconfiguration: Anonymous Transport Client

Abstract
缺少 Authentication 表示任何人皆可存取此服務。
Explanation
若服務不會對用戶端進行驗證,則所有的造訪者都可存取該服務。

References
[1] Common Security Scenarios Microsoft
[2] Transport Security with an Anonymous Client Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 285
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-000804, CCI-002165
[5] Standards Mapping - FIPS200 IA
[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, IA-8 Identification and Authentication (Non-Organizational Users)
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3), 13.1.4 Generic Web Service Security Verification Requirements (L2 L3)
[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management
[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management
[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management
[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management
[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication
[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3, Requirement 7.2
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7, Requirement 7.2
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8, Requirement 7.2
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10, Requirement 7.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10, Requirement 7.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10, Requirement 7.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10, Requirement 7.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.1
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 7.3.1
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.2 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.2 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.2 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.2 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.2 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.2 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.2 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-001870 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authentication (WASC-01)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication
desc.semantic.dotnet.wcf_misconfiguration_anonymous_transport_client

WCF Misconfiguration: Debug Information

Abstract
除錯資訊可幫助攻擊者了解系統並計劃攻擊形式。
Explanation
您可以將 Windows Communication Framework (WCF) 服務設定為可暴露除錯資訊。生產環境中不應使用 debug information。<serviceDebug> 標籤會定義 WCF 服務是否啟用 Debug Information 功能。



includeExceptionDetailInFaults 屬性設為 true,則會將應用程式中的異常資訊回傳給用戶端。攻擊者可能利用這些從除錯輸出得到的額外資訊,來發動針對架構、資料庫或應用程式所使用的其他資源的攻擊。

範例:以下組態設定檔案包含 <serviceDebug> 標籤:

<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="MyServiceBehavior">
          <serviceDebug includeExceptionDetailInFaults="True" httpHelpPageEnabled="True"/>
...
References
[1] Microsoft
[2] Standards Mapping - Common Weakness Enumeration CWE ID 215
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [4] CWE ID 200
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [7] CWE ID 200
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [20] CWE ID 200
[6] Standards Mapping - Common Weakness Enumeration Top 25 2024 [17] CWE ID 200
[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001312, CCI-001314, CCI-002420, CCI-003272
[8] Standards Mapping - FIPS200 CM
[9] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SA-15 Development Process and Standards and Tools (P2), SC-8 Transmission Confidentiality and Integrity (P1), SI-11 Error Handling (P2)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SA-15 Development Process and Standards and Tools, SC-8 Transmission Confidentiality and Integrity, SI-11 Error Handling
[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 8.3.4 Sensitive Private Data (L1 L2 L3), 14.3.2 Unintended Security Disclosure Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[15] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[16] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[17] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration
[18] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[19] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[20] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.6
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.5
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.5
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.5
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.5
[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 3.6 - Sensitive Data Retention
[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 3.6 - Sensitive Data Retention
[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 3.6 - Sensitive Data Retention
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3620 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3620 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3620 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3620 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3620 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3620 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3620 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002480 CAT II, APSC-DV-002570 CAT II, APSC-DV-002580 CAT II, APSC-DV-003235 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13), Fingerprinting (WASC-45)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_misconfiguration_debug_information

WCF Misconfiguration: Insecure Transport

Abstract
設定應用程式時,應該要確定所有敏感資訊的存取是使用 HTTPS。
Explanation
如果處理敏感資訊的應用程式並未使用訊息層級加密,則只能在加密的傳輸通道進行通訊。

References
[1] Microsoft
[2] Microsoft
[3] Standards Mapping - Common Weakness Enumeration CWE ID 311
[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123
[5] Standards Mapping - FIPS200 CM, SC
[6] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection
[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)
[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity
[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)
[11] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection
[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management
[13] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications
[14] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection
[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319
[31] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311
[32] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_service_provider_misconfiguration_insecure_transport

WCF Misconfiguration: Insufficient Audit Failure Handling

Abstract
程式設定為不要在無法寫入稽核記錄時產生異常。
Explanation
如果 WCF 設定為不要在無法寫入稽核記錄時拋出異常,程式便不會在失敗時收到通知,而且可能不會發生關鍵安全性事件的稽核。

範例 1:以下 WCF 組態設定檔案的 <behavior/> 元素會指示 WCF 不要在 WCF 無法寫入稽核記錄時通知應用程式。


<behaviors>
   <serviceBehaviors>
      <behavior name="NewBehavior">
         <serviceSecurityAudit auditLogLocation="Application"
             suppressAuditFailure="true"
             serviceAuthorizationAuditLevel="Success"
             messageAuthenticationAuditLevel="Success" />
      </behavior>
   </serviceBehaviors>
</behaviors>

References
[1] Microsoft Developer Network (MSDN)
[2] Standards Mapping - Common Weakness Enumeration CWE ID 778
[3] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000018, CCI-000130, CCI-000139, CCI-000169, CCI-000172, CCI-001403, CCI-001404, CCI-001405, CCI-001464, CCI-001814, CCI-001858, CCI-002130, CCI-002234, CCI-002884
[4] Standards Mapping - FIPS200 AU
[5] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[6] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-2 Account Management (P1), AC-6 Least Privilege (P1), AU-3 Content of Audit Records (P1), AU-5 Response to Audit Processing Failures (P1), AU-12 Audit Generation (P1), AU-14 Session Audit (P0), CM-5 Access Restrictions for Change (P1), MA-4 Nonlocal Maintenance (P2)
[7] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-2 Account Management, AC-6 Least Privilege, AU-3 Content of Audit Records, AU-5 Response to Audit Logging Process Failures, AU-12 Audit Record Generation, AU-14 Session Audit, CM-5 Access Restrictions for Change, MA-4 Nonlocal Maintenance
[8] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[9] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls
[10] Standards Mapping - OWASP Top 10 2004 A7 Improper Error Handling
[11] Standards Mapping - OWASP Top 10 2007 A6 Information Leakage and Improper Error Handling
[12] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[13] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[14] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[15] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.7
[16] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.2, Requirement 6.5.6
[17] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.5
[18] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.3.4
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.3.4
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.3.4
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.3.4
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.2
[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking
[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking
[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3120 CAT II
[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3120 CAT II
[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3120 CAT II
[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3120 CAT II
[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3120 CAT II
[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3120 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3120 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000710 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[48] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[49] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000340 CAT II, APSC-DV-000350 CAT II, APSC-DV-000360 CAT II, APSC-DV-000370 CAT II, APSC-DV-000420 CAT II, APSC-DV-000520 CAT II, APSC-DV-000620 CAT II, APSC-DV-000630 CAT II, APSC-DV-000640 CAT II, APSC-DV-000660 CAT II, APSC-DV-000680 CAT II, APSC-DV-000690 CAT II, APSC-DV-000700 CAT II, APSC-DV-000720 CAT II, APSC-DV-000730 CAT II, APSC-DV-000740 CAT II, APSC-DV-000750 CAT II, APSC-DV-000760 CAT II, APSC-DV-000770 CAT II, APSC-DV-000780 CAT II, APSC-DV-000790 CAT II, APSC-DV-000800 CAT II, APSC-DV-000810 CAT II, APSC-DV-000820 CAT II, APSC-DV-000830 CAT II, APSC-DV-000840 CAT II, APSC-DV-000850 CAT II, APSC-DV-000860 CAT II, APSC-DV-000870 CAT II, APSC-DV-000880 CAT II, APSC-DV-000910 CAT II, APSC-DV-000940 CAT II, APSC-DV-000950 CAT II, APSC-DV-000960 CAT II, APSC-DV-000970 CAT II, APSC-DV-001100 CAT II, APSC-DV-001110 CAT II, APSC-DV-001120 CAT II, APSC-DV-001420 CAT II, APSC-DV-001930 CAT II, APSC-DV-003360 CAT III
[50] Standards Mapping - Web Application Security Consortium Version 2.00 Information Leakage (WASC-13)
[51] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage
desc.config.dotnet.wcf_misconfiguration_insufficient_audit_failure_handling