281 找到的項目

弱點

Unsafe JSNI

Java/JSP

Abstract

不適當的使用 JavaScript Native Interface (JSNI) 可能導致 GWT 應用程式容易受到 JavaScript 安全性漏洞的攻擊。

Explanation

當 GWT 應用程式使用 JSNI 呼叫 javascript 程式碼時，會出現不安全的 JSNI 錯誤。
範例：以下 Java 程式碼會定義一個名為 Redirect 的類別。此類別會宣告一個原生的 JavaScript 方法，該方法使用 JavaScript 來變更文件位置。


import com.google.gwt.user.client.ui.UIObject;

class MyDiv {

    ...

    public static void changeName(final UIObject object, final String name) {
        changeName(object.getElement(), url);
    }

    public static native void changeName(final Element e, final String name) /*-{
        $wnd.jQuery(e).html(name);
    }-*/;

    ...
}

在此範例中，將不可信賴的資料傳遞給 JSNI 函數可能會導致遭受 DOM 型 Cross-Site Scripting 攻擊。

References

[1] JSNI Google

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 3

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 111

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - FIPS200 SI

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[14] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[15] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation

[16] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[27] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[28] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[29] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[30] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[31] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[32] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[33] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

[48] Standards Mapping - Web Application Security Consortium Version 2.00 Improper Input Handling (WASC-20)

desc.semantic.java.unsafe_jsni

Session Puzzling: Spring

Java/JSP

Abstract

攻擊者會修改可能導致應用程式邏輯濫用的 Spring 階段作業屬性。

Explanation

使用 @SessionAttributes 註解的類別，意味著 Spring 複製了對階段作業物件中的模型屬性的變更。如果攻擊者能夠在模型屬性內儲存任意值，將會在可能受應用程式信任的階段作業物件中複製這些變更。如果階段作業屬性透過使用者無法修改的信任資料初始化，則攻擊者可以執行階段作業疑難攻擊並濫用應用程式邏輯。

範例 1：以下控制項包含可在成功登入後便立即將使用者資料載入階段作業的方式。


@Controller
@SessionAttributes("user")
public class HomeController {
    ...
    @RequestMapping(value= "/auth", method=RequestMethod.POST)
    public String authHandler(@RequestParam String username, @RequestParam String password, RedirectAttributes attributes, Model model) {
        User user = userService.findByNamePassword(username, password);
        if (user == null) {
            // Handle error
            ...
        } else {
            // Handle success
            attributes.addFlashAttribute("user", user);
            return "redirect:home";
        }
    }
    ...
}

其他控制項可處理重設密碼功能。由於類別已使用 @SessionAttributes("user") 註解，將嘗試從階段作業載入 User 實例，並使用它來驗證重設密碼問題。


@Controller
@SessionAttributes("user")
public class ResetPasswordController {

    @RequestMapping(value = "/resetQuestion", method = RequestMethod.POST)
    public String resetQuestionHandler(@RequestParam String answerReset, SessionStatus status, User user, Model model) {

        if (!user.getAnswer().equals(answerReset)) {
            // Handle error
            ...
        } else {
            // Handle success
            ...
        }
    }
}

開發人員的意圖是將 user 實例從登入程序期間儲存所在的階段作業載入。但是，Spring 將會檢查要求並嘗試將其資料繫結至模型 user 實例。如果收到的要求包含可繫結至 User 類別的資料，Spring 會將收到的資料合併到使用者階段作業屬性。透過在 answerReset 查詢參數中提交任意答覆和相同的值覆寫階段作業中儲存的值，可濫用此案例。這樣一來，攻擊者可以為隨機使用者設定任意新密碼。

References

[1] Alexey Tyurin Spring MVC and Autobinding vulns.

[2] Alexey Tyurin Autobinding vulns and Spring MVC

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[5] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[6] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001664, CCI-001941, CCI-001942

[8] Standards Mapping - FIPS200 IA

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-23 Session Authenticity (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-23 Session Authenticity

[12] Standards Mapping - OWASP Top 10 2004 A3 Broken Authentication and Session Management

[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2010 A3 Broken Authentication and Session Management

[15] Standards Mapping - OWASP Top 10 2013 A2 Broken Authentication and Session Management

[16] Standards Mapping - OWASP Top 10 2017 A2 Broken Authentication

[17] Standards Mapping - OWASP Top 10 2021 A07 Identification and Authentication Failures

[18] Standards Mapping - OWASP API 2023 API2 Broken Authentication

[19] Standards Mapping - OWASP Mobile 2014 M9 Improper Session Handling

[20] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation

[21] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.3

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3405 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3405 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3405 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3405 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3405 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3405 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3405 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002250 CAT II, APSC-DV-002260 CAT II, APSC-DV-002270 CAT II, APSC-DV-002280 CAT II, APSC-DV-002530 CAT II

desc.dataflow.java.session_puzzling_spring

Race Condition: PHP Design Flaw

Abstract

PHP 配置選項 open_basedir 存在一個設計缺陷，使其容易發生檔案存取 race condition，這可能使攻擊者繞過 file system 上的 access control 檢查。

Explanation

若啟用 open_basedir 配置選項，該選項會試圖阻止 PHP 程式對 php.ini 中所指定的目錄結構以外的檔案執行操作。雖然 open_basedir 選項可保證系統的安全性，但其執行方式卻受到 race condition 的不利影響，這可能會讓攻擊者在某些情況下略過該選項所定義的限制[2]。PHP 執行存取權限檢查和開啟檔案間，會存在 time-of-check、time-of-use (TOCTOU) race condition。與其他語言中 file system 的 race condition 相同，此弱點會讓攻擊者將指向透過 access control 檢查的 symlink 替換成另一個原來不能通過測試的檔案，以取得受保護檔案的存取權。

此類攻擊針對的弱點大小視執行存取檢查和開啟檔案間的時間長短而定。即使連續執行呼叫，現今的作業系統也無法保證在處理程序讓出 CPU 之前執行的程式碼數量。攻擊者有許多技術來加長時間長度，使得盜取攻擊更加容易，但即使是很小的時間長度，此攻擊企圖也可以不斷的重複，直到成功為止。

References

[1] M. Achour et al. PHP Manual

[2] Stefan Esser PHP open_basedir Race Condition Vulnerability

[3] Artur Maj Securing PHP

[4] Emmanuel Dreyfus Securing Systems with Chroot

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[6] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 4

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[10] Standards Mapping - Common Weakness Enumeration CWE ID 362, CWE ID 367

[11] Standards Mapping - Common Weakness Enumeration Top 25 2022 [22] CWE ID 362

[12] Standards Mapping - Common Weakness Enumeration Top 25 2023 [21] CWE ID 362

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-003178

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A04 Insecure Design

[18] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.11.2 Business Logic Architectural Requirements (L2 L3), 1.11.3 Business Logic Architectural Requirements (L3), 11.1.6 Business Logic Security Requirements (L2 L3)

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 7.3.2

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective B.3.3 - Terminal Software Attack Mitigation

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective B.3.3 - Terminal Software Attack Mitigation

[22] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 362

[23] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 362

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3630.1 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3630.1 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3630.1 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3630.1 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3630.1 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3630.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3630.1 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001995 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001995 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001995 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001995 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001995 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001995 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001995 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001995 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001995 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001995 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001995 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001995 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001995 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001995 CAT II

desc.structural.php.race_condition_php_design_flaw

Cross-Client Data Access

ABAP

Abstract

程式可讓未經授權的使用者從 SAP 系統的其他用戶端存取資料。

Explanation

SAP 系統中的應用程式資料依據用戶端加以分隔 (用戶端分隔)，所有 Open SQL 陳述式都會自動存取/修改屬於已登入用戶端的資料 (用戶端處理)。提供這些功能是為了將屬於企業內不同業務單元或組織的資料進行邏輯分隔。但是，可以使用下列功能規避 ABAP 程式內的用戶端分隔與用戶端處理機制：

1. 原生 SQL 陳述式，或
2. 附加有 CLIENT SPECIFIED 的 Open SQL 陳述式，或
3. ADBC (ABAP 資料庫連線能力) API，或
4. 可從其他用戶端存取用戶端特定資料的其他 API

SAP 不會檢查使用者是否已獲從指定用戶端存取資料的授權。這會導致安全性風險，即，未經授權的使用者可能會透過其他用戶端檢視或修改資料。

範例 1：以下程式碼使用 Open SQL 擷取員工詳細資料。


...
PARAMETERS: p_input TYPE sy-mandt.

SELECT *
  FROM employee_records
  CLIENT SPECIFIED
  INTO TABLE tab_output
  WHERE mandt = p_input.
...

在此案例中，執行此程式碼的未經授權使用者將可以透過已登入用戶端 SY-MANDT 之外的用戶端檢視員工詳細資料。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 3.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 285

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-002165

[9] Standards Mapping - FIPS200 AC

[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1)

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement

[13] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2007 A10 Failure to Restrict URL Access

[15] Standards Mapping - OWASP Top 10 2010 A8 Failure to Restrict URL Access

[16] Standards Mapping - OWASP Top 10 2013 A7 Missing Function Level Access Control

[17] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[19] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[20] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3), 4.1.5 General Access Control Design (L1 L2 L3), 4.2.1 Operation Level Access Control (L1 L2 L3)

[21] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[22] Standards Mapping - OWASP Mobile 2023 M3 Insecure Authentication/Authorization

[23] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[36] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 862

[38] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II

[59] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[60] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.abap.cross_client_data_access

Insecure Temporary File

C/C++
Python

Abstract

建立和使用不安全的暫存檔案會使得應用程式和系統資料產生安全性弱點，容易受到攻擊。

Explanation

應用程式需要非常頻繁地呼叫暫存檔案，許多種不同的機制都是為了在 C 程式庫或 Windows(R) API 中建立暫存檔案而存在的。大多函數很容易受到多種形式的攻擊。
範例：以下程式碼會在對從網路收集的直接資料進行處理之前，使用暫存檔案進行儲存。


...
if (tmpnam_r(filename)){
	FILE* tmp = fopen(filename,"wb+");
	while((recv(sock,recvbuf,DATA_SIZE, 0) > 0)&&(amt!=0))
		amt = fwrite(recvbuf,1,DATA_SIZE,tmp);
}
...

這程式碼並不容易被注意到，但卻容易受到很多不同的攻擊，因為它建立暫存檔案的方式並不安全。以下各節將詳述由此函數及其它內容所造成的安全弱點。大部分臭名昭著與暫存檔案建立有關的安全問題已在 Unix 作業系統上出現，但是 Windows 應用程式同樣存在著這樣的風險。此章節討論的主題為在 Unix 和 Windows 上建立暫存檔案。

不同系統間使用的方法和運作方式可能是不同的，但是各自造成的基本風險則相差不大。請參閱「建議事項」一節，以瞭解核心安全語言的相關資訊及安全建立暫存檔案的相關建議方法。

設計用來幫助建立暫存檔案的函數可依據其是否是提供檔案名稱或實際開啟新檔，而分成兩個部分。

群組 1 -「唯一的」檔案名稱：

第一組 C 程式庫和 WinAPI 函數是用來幫助建立暫存檔案，其透過產生唯一的檔案名稱來建立要被某程式打開的新暫存檔案。這部分包含了如 tmpnam()、tempnam()、mktemp() 這樣的 C 程式庫函數以及與其等價的以 _ (下劃線) 開頭的 C++ 文件和 Windows API 中的 GetTempFileName() 函數。這組函數在檔案名稱選擇方面很可能會有 Race Condition 的麻煩。雖然函數保證在選取檔案時，其檔案名稱是唯一的，但是沒有機制能防止其他處理或攻擊者在選取檔案後和應用程式試圖開啟檔案之前的這段時間內，建立一個相同檔案名稱。相比一個由其他程式呼叫相同函數所引發的合法衝突，攻擊者非常有可能建立一個惡意的衝突，因為由這些函數建立的檔案名稱沒有充分的隨機化來使猜測更加困難。

如果建立了特定名稱的檔案，那麼根據這個檔案的開啟方式，現有內容或存取權限都可能保持不變。如果現有檔案內容實質上是惡意的，攻擊者就可以在應用程式從暫存檔案讀取資料時向程式注入危險資料。如果攻擊者預先建立了一個能輕鬆獲取存取權限的檔案，那麼被應用程式儲存在暫存檔案裏的資料將被存取、修改或毀壞。在 Unix 系統上，如果攻擊者預先定義了一個檔案作為另一個重要檔案的連接，那麼更狡猾的攻擊也可能存在。那麼，如果應用程式從檔案截取資料或將資料寫入檔案，它將不知不覺地為攻擊者執行惡意操作。如果程式是以提升過的權限執行，那將是極其嚴重的威脅。

最後，最好的情況就是呼叫 open() 函數並使用 O_CREAT 和 O_EXCL 旗標，或者呼叫 CreateFile() 函數並使用 CREATE_NEW 屬性來開啟檔案。如此一來，如果檔案已經存在，那麼檔案建立就會失敗，也可以防範以上所描述的攻擊類型。然而，如果攻擊者可以準確預測一個檔案序列的檔案名稱，那麼應用程式將被強制禁止開啟所需的臨時儲存空間，進而引發 Denial of Service (DoS) 攻擊。如果使用由這些函數產生的一小部分亂數來選擇檔案名稱，那麼這種類型的攻擊將不難實現。

群組 2 -「唯一的」檔案：

C 程式庫函數的第二部分是藉由產生唯一的檔案名稱且開啟該檔案，來解決一些與暫存檔案有關的安全問題。這部分包含了像 tmpfile() 這樣的 C 函數和與之對應的以 _ (下劃線) 開頭的 C++ 函數，以及表現更為出色的 C 程式庫函數 mkstemp()。

類似 tmpfile() 的函數構成唯一的檔案名稱，並藉由與傳遞 "wb+" 標記時 fopen() 使用的相同方法開啟檔案，就像讀/寫模式下的二位元檔一樣。如果檔案已存在，tmpfile() 將把檔案大小縮小為 0，藉此緩和前面提到的有關存在於唯一檔案名稱選擇與隨之打開選取檔案之間的 Race Condition 的安全問題。然而，這個運作方式顯然不能解決函數的安全性問題。首先，攻擊者可能使用可能由 tmpfile().開啟的檔案所保存的寬鬆存取權限來預先建立檔案。其次，在 Unix 系統上，如果攻擊者預先建立了一個檔案作為其他重要檔案的一個連接，應用程式可能會使用其被提升的權限去縮小該檔案，這樣就能按照攻擊的意願執行破壞。最後，如果 tmpfile() 建立了一個新檔案，那麼套用在此檔案上的存取權限在不同的作業系統間是不同的；如此一來，應用程式就極易受到攻擊，而攻擊者甚至不需要預先猜測到將被使用的檔案名稱也可進行攻擊。

最後，mkstemp() 函數是建立暫存檔案的安全方式。它將以一個使用者結合一組隨機生成的字元提供的檔案名稱範本的方式，來建立並開啟唯一的檔案。如果它不能建立此檔案，它將回傳 -1 表示失敗。在先進的系統上，是使用模式0600 來開啟檔案，這就意味著這個檔案將免受干擾，除非使用者改變其存取權限。然而，mkstemp() 仍然會受到使用能夠預先推測的檔案名稱的威脅，而且如果攻擊是藉由猜測或預先建立將要使用的檔案名稱的檔案導致 mkstemp() 函數失效的話，將使應用程式極易受到 Denial of Service 攻擊。

References

[1] B. Schneier Yarrow: A secure pseudorandom number generator

[2] CryptLib

[3] Crypto++

[4] BeeCrypt

[5] OpenSSL

[6] CryptoAPI: CryptGenRandom() Microsoft

[7] RtlGenRandom() Microsoft

[8] .NET System.Security.Cryptography: Random Number Generation Microsoft

[9] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[10] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[11] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[12] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[13] Standards Mapping - CIS Kubernetes Benchmark partial

[14] Standards Mapping - Common Weakness Enumeration CWE ID 377

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090

[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[17] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)

[18] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1

[20] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II

desc.semantic.cpp.insecure_temporary_file

Abstract

建立和使用不安全的暫存檔案會使得應用程式和系統資料產生安全性弱點，容易受到攻擊。

Explanation

應用程式需要非常頻繁地使用暫存檔案，許多不同機制都是為了建立暫存檔案而存在的。大多函數很容易受到多種形式的攻擊。
範例：以下程式碼使用暫存檔案在它被處理之前用來儲存從網路上收集到的中間資料。


...
try:
  tmp_filename = os.tempnam()
  tmp_file = open(tmp_filename, 'w')
  data = s.recv(4096)
  while True:
      more = s.recv(4096)
      tmp_file.write(more)
      if not more:
        break
except socket.timeout:
  errMsg = "Connection timed-out while connecting"
  self.logger.exception(errMsg)
  raise Exception
...

這程式碼並不容易被注意到，但卻容易受到很多不同的攻擊，因為它建立暫存檔案的方式並不安全。以下各節將詳述由此函數及其它內容所造成的安全弱點。大部分臭名昭著與暫存檔案建立有關的安全問題已在 Unix 作業系統上出現，但是 Windows 應用程式同樣存在著這樣的風險。

不同系統間使用的方法和運作方式可能是不同的，但是各自造成的基本風險則相差不大。請參閱「建議事項」一節，以瞭解核心安全語言的相關資訊及安全建立暫存檔案的相關建議方法。

設計用來幫助建立暫存檔案的函數可依據其是否是提供檔案名稱或實際開啟新檔，而分成兩個部分。

群組 1 -「唯一的」檔案名稱：

第一組函數是用來幫助建立暫存檔案，這組函數透過產生唯一的檔案名稱來建立稍後程式會開啟的新暫存檔案。這組函數在檔案名稱選擇方面很可能會有 Race Condition 的麻煩。雖然函數保證在選取檔案時，其檔案名稱是唯一的，但是沒有機制能防止其他處理或攻擊者在選取檔案後和應用程式試圖開啟檔案之前的這段時間內，建立一個相同檔案名稱。相比一個由其他程式呼叫相同函數所引發的合法衝突，攻擊者非常有可能建立一個惡意的衝突，因為由這些函數建立的檔案名稱沒有充分的隨機化來使猜測更加困難。

如果建立了特定名稱的檔案，那麼根據這個檔案的開啟方式，現有內容或存取權限都可能保持不變。如果現有檔案內容實質上是惡意的，攻擊者就可以在應用程式從暫存檔案讀取資料時向程式插入危險資料。如果攻擊者預先建立了一個能輕鬆獲取存取權限的檔案，那麼被應用程式儲存在暫存檔案裏的資料將被存取、修改或毀壞。在 Unix 系統上，如果攻擊者預先定義了一個檔案做為另一個重要檔案的連接，那麼更狡猾的攻擊也可能存在。那麼，如果應用程式從檔案截取資料或將資料寫入檔案，它將不知不覺地為攻擊者執行惡意操作。如果程式是以提升過的權限執行，那將是極其嚴重的威脅。

最後，最好的情況就是呼叫 open() 函數並使用 os.O_CREAT 和 os.O_EXCL 旗標來開啟檔案。如此一來，如果檔案已經存在，那麼檔案建立就會失敗，也可以防範以上所描述的攻擊類型。然而，如果攻擊者可以準確預測一個檔案序列的檔案名稱，那麼應用程式將被強制禁止開啟所需的臨時儲存空間，進而引發 Denial of Service (DoS) 攻擊。如果使用由這些函數產生的一小部分亂數來選擇檔案名稱，那麼這種類型的攻擊將不難實現。

群組 2 -「唯一的」檔案：

函數的第二部分是藉由產生唯一的檔案名稱並開啟該檔案，來嘗試解決一些與暫存檔案有關的安全問題。這一部分包含諸如 tmpfile() 的函數。

類似 tmpfile() 的函數構成唯一的檔案名稱，並藉由與傳遞 "wb+" 標記時 open() 使用的相同方法開啟檔案，就像讀/寫模式下的二位元檔一樣。如果檔案已存在，tmpfile() 將把檔案大小縮小為 0，藉此緩和前面提到的有關存在於唯一檔案名稱選擇與隨之打開選取檔案之間的 Race Condition 的安全問題。然而，這個運作方式顯然不能解決函數的安全性問題。首先，攻擊者可能使用可能由 tmpfile().開啟的檔案所保存的寬鬆存取權限來預先建立檔案。其次，在 Unix 系統上，如果攻擊者預先建立了一個檔案作為其他重要檔案的一個連接，應用程式可能會使用其被提升的權限去縮小該檔案，這樣就能按照攻擊的意願執行破壞。最後，如果 tmpfile() 建立了一個新檔案，那麼套用在此檔案上的存取權限在不同的作業系統間是不同的；如此一來，應用程式就極易受到攻擊，而攻擊者甚至不需要預先猜測到將被使用的檔案名稱也可進行攻擊。

References

[1] B. Schneier Yarrow: A secure pseudorandom number generator

[2] Python Library Reference: os Python

[3] Python Library Reference: tempfile Python

[4] Symlink race WikiPedia

[5] Time of check to time of use WikiPedia

[6] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[7] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[8] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[9] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[10] Standards Mapping - CIS Kubernetes Benchmark partial

[11] Standards Mapping - Common Weakness Enumeration CWE ID 377

[12] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001090

[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-4 Information in Shared Resources (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-4 Information in Shared System Resources

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 3.3.1, Requirement 3.5.1

[17] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002380 CAT II

[18] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002380 CAT II

[19] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002380 CAT II

[20] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002380 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002380 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002380 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002380 CAT II

[24] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002380 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002380 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002380 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002380 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002380 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002380 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002380 CAT II

desc.semantic.python.insecure_temporary_file

AWS Ansible Misconfiguration: Insufficient API Gateway Logging

YAML

Abstract

組態定義了一個稽核記錄不足的服務。

Explanation

若缺乏稽核記錄，將會限制偵測和回應安全相關事件的能力，並阻礙取證調查。

削弱記錄控功能的組態設定包括但不限於：
- 蓄意停用稽核記錄
- 免除記錄特定使用者、群組或程序的動作
- 未充分保護記錄完整性
- 未啟用選用稽核記錄
- 降低記錄採樣率

References

[1] Open Web Application Security Project (OWASP) Logging Cheat Sheet

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 3.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[6] Standards Mapping - Common Weakness Enumeration CWE ID 778

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[8] Standards Mapping - FIPS200 CM

[9] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[10] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[12] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[13] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[17] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[18] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[19] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[20] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[21] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[22] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[23] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000380 CAT III, APSC-DV-000390 CAT III, APSC-DV-000400 CAT III, APSC-DV-000410 CAT III, APSC-DV-000430 CAT III, APSC-DV-000590 CAT II

desc.structural.iac.misconfiguration_insufficient_logging.base

AWS Ansible Misconfiguration: Insufficient CloudFront Logging

YAML