281 找到的項目

弱點

AWS Ansible Misconfiguration: Improper EC2 Network Access Control

YAML

Abstract

Ansible 工作將定義一個存取權限範圍過寬的 AWS 安全性群組。

Explanation

寬鬆的存取組態會將系統不必要地暴露在外，並擴大組織的受攻擊面。開放與公眾互動的服務通常會受到惡意實體近乎連續的掃描和探測。

在發現並發佈針對公開服務的零時差攻擊 (例如 Heartbleed) 時問題特別大。攻擊者可主動追蹤和搜尋未修補和暴露的系統以進行攻擊。

範例 1：以下 Ansible 工作將定義一個對外 (0.0.0.0/0 ) (即 TCP 連接埠 22) 開放的 AWS 安全性群組，其中 SSH 伺服器通常回應傳入的連線要求。


- name: Task to open SSH port
  amazon.aws.ec2_group:
    name: demo_security_group
    description: Open the ssh port to the world
    state: present
    vpc_id: 123456
    region: us-west-1
    rules:
    - proto: tcp
        ports: 22
        cidr_ip: 0.0.0.0/0

References

[1] Ansible project contributors amazon.aws.ec2_group – maintain an ec2 VPC security group

[2] Jesse Lepich and Michael Ingoldby AWS Security Blog: How to continuously audit and limit security groups with AWS Firewall Manager

[3] Jeffrey Lyon AWS Security Blog: How to Help Prepare for DDoS Attacks by Reducing Your Attack Surface

[4] Josh Fruhlinger CSOOnline: The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

[5] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[6] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[7] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[9] Standards Mapping - Common Weakness Enumeration CWE ID 749

[10] Standards Mapping - Common Weakness Enumeration Top 25 2020 [18] CWE ID 522

[11] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[12] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[13] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[14] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[15] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[16] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[17] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[18] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[19] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[21] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[22] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[23] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[24] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[36] Standards Mapping - SANS Top 25 2009 Porous Defenses - CWE ID 285

[37] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[38] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[39] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II, APSC-DV-001520 CAT II

[60] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[61] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.yaml.aws_ansible_misconfiguration_improper_ec2_network_access_control.base

Prototype Pollution

JavaScript/TypeScript

Abstract

該應用程式允許使用者污染原型。

Explanation

Prototype Pollution 是一種允許惡意使用者覆寫物件原型的攻擊。
如要了解 Prototype Pollution，首先必須了解原型繼承。原型和原型鏈用作 JavaScript 中的屬性與函數查詢，從而提供繼承。當嘗試存取特定物件的屬性時，會檢查目前物件定義。如果目前物件沒有定義該屬性，則會檢查原型類別。原型會以遞迴方式檢查，直到找到該屬性，或沒有其他已設定的原型。

由於 JavaScript 中的大多數物件都預設具有一個指向 Object.prototype 的原型，因此如果攻擊者可以覆寫物件的原型，通常就可以覆寫 Object.prototype 的定義，進而影響應用程式內的所有物件。

如果應用程式 (或其任何相依項) 仰賴的事實是屬性可以是 undefined 而不是始終明確設定的屬性，那麼如果原型已受污染，應用程式就可能在無意間讀取原型而不是預期的物件。

Prototype Pollution 可能會在以下情況發生：

1.資料從一個不可信賴的來源進入程式。

2.資料被傳遞至允許覆寫原型的 API。

範例 1：下列程式碼使用易受攻擊的 lodash 版本來污染物件的原型：


import * as lodash from 'lodash'
...
let clonedObject = lodash.merge({}, JSON.parse(untrustedInput));
...

此時，如果不受信賴的輸入為 {"__proto__": { "isAdmin": true}}，則 Object.prototype 將擁有定義的 isAdmin = true。

假設下列程式碼之後會存在於應用程式中。


...
let config = {}
if (isAuthorizedAsAdmin()){
    config.isAdmin = true;
}
...
if (config.isAdmin) {
    // do something as the admin
}
...

即使 isAdmin 僅應在 isAuthorizedAdmin() 傳回 true 時才設為 true，但因為應用程式未能在 else 條件中設定 config.isAdmin = false，所以還是會仰賴 config.isAdmin === undefined === false 的事實。
遺憾的是，由於原型已受污染，config 的原型現已設定 isAdmin === true，這會允許略過管理員授權。

References

[1] Olivier Arteau Prototype pollution attack.

[2] Open Web Application Security Project (OWASP) Prototype Pollution Prevention Cheat Sheet

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 2

[7] Standards Mapping - CIS Google Cloud Computing Platform Benchmark partial

[8] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[9] Standards Mapping - Common Weakness Enumeration CWE ID 1321

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[11] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[13] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[14] Standards Mapping - OWASP Top 10 2021 A08 Software and Data Integrity Failures

[15] Standards Mapping - OWASP API 2023 API3 Broken Object Property Level Authorization

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.5.2 Input and Output Architectural Requirements (L2 L3), 5.1.2 Input Validation Requirements (L1 L2 L3)

[17] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation

[18] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control

[23] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[24] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[25] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002150 CAT II, APSC-DV-002560 CAT I

[26] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002150 CAT II, APSC-DV-002530 CAT II, APSC-DV-002560 CAT I

desc.dataflow.javascript.prototype_pollution

Cross-Site Scripting: External Links

Java/JSP

Abstract

傳送未經驗證的資料至網路瀏覽器，會導致瀏覽器執行惡意的程式碼。組態中的設定可盡量降低暴露於 Cross-Site Scripting 的風險

Explanation

Cross-Site Scripting (XSS) 弱點會在以下情況中出現：

1.資料透過不可信賴的來源進入 Web 應用程式，通常是一個網頁要求或資料庫。

2.未經驗證且包含在動態內容中的資料將傳送給某個網頁使用者。

傳送到網頁瀏覽器的惡意內容經常是以 JavaScript 片段的形式出現，但是也可能包含 HTML、Flash 或者瀏覽器執行的任何其他程式碼類型。以 XSS 為基礎的攻擊手段花樣百出且幾乎無窮無盡，但是它們通常會傳輸 Cookie 或其他階段作業資訊之類的私人資料給攻擊者、將受害者重新導向到攻擊者控制的網頁內容，或者利用易受攻擊的網站，在使用者的機器上執行其他惡意操作。

因為針對 XSS 弱點的攻擊通常與攻擊者所控制惡意網站之間的通訊或重新導向動作有關，可以插入導向至其他網域內容的參照，對惡意程式而言，更如虎添翼。您可將 AntiSamy 設定為避免連線至外部網域的連結，也就可以降低攻擊者可能透過 XSS 攻擊所造成的損害。但是，這種保護機制只解決了部分問題，而且無法解決 XSS 弱點所造成的整體威脅。

範例 1：以下 AntiSamy 組態項目允許連結到應用程式執行網域以外的 URL。


		<attribute name="href" onInvalid="filterTag">
			<regexp-list>
				<regexp name="onsiteURL"/>
				<regexp name="offsiteURL"/>
			</regexp-list>
		</attribute>

References

[1] Understanding Malicious Content Mitigation for Web Developers CERT

[2] HTML 4.01 Specification W3

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 5.0

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 5.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark integrity

[8] Standards Mapping - CIS Kubernetes Benchmark complete

[9] Standards Mapping - Common Weakness Enumeration CWE ID 79, CWE ID 82, CWE ID 83, CWE ID 87, CWE ID 692

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [2] CWE ID 079

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [1] CWE ID 079

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [2] CWE ID 079

[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [2] CWE ID 079

[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [2] CWE ID 079

[15] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001167, CCI-001310

[16] Standards Mapping - FIPS200 SI

[17] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[18] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-18 Mobile Code (P2)

[19] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-18 Mobile Code

[20] Standards Mapping - OWASP Top 10 2004 A4 Cross Site Scripting

[21] Standards Mapping - OWASP Top 10 2007 A1 Cross Site Scripting (XSS)

[22] Standards Mapping - OWASP Top 10 2010 A2 Cross-Site Scripting (XSS)

[23] Standards Mapping - OWASP Top 10 2013 A3 Cross-Site Scripting (XSS)

[24] Standards Mapping - OWASP Top 10 2017 A7 Cross-Site Scripting (XSS)

[25] Standards Mapping - OWASP Top 10 2021 A03 Injection

[26] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.3.3 Output Encoding and Injection Prevention Requirements (L1 L2 L3), 5.3.6 Output Encoding and Injection Prevention Requirements (L1 L2 L3)

[27] Standards Mapping - OWASP Mobile 2014 M7 Client Side Injection

[28] Standards Mapping - OWASP Mobile 2023 M4 Insufficient Input/Output Validation

[29] Standards Mapping - OWASP Mobile 2024 M4 Insufficient Input/Output Validation

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.3.1.1, Requirement 6.5.1

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.7

[33] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.7

[34] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.7

[35] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.7

[36] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.7

[37] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[38] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[39] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation

[40] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective B.3.1 - Terminal Software Attack Mitigation, Control Objective B.3.1.1 - Terminal Software Attack Mitigation, Control Objective C.3.2 - Web Software Attack Mitigation

[41] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 116

[42] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 079

[43] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 079

[44] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3510 CAT I, APP3580 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3510 CAT I, APP3580 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3510 CAT I, APP3580 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3510 CAT I, APP3580 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3510 CAT I, APP3580 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3510 CAT I, APP3580 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3510 CAT I, APP3580 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[58] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[59] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[60] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[61] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[62] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[63] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002490 CAT I, APSC-DV-003300 CAT II

[64] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002490 CAT I, APSC-DV-002530 CAT II, APSC-DV-003300 CAT II

[65] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Scripting (WASC-08)

[66] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Scripting

desc.config.java.xss_external_links

File Disclosure: Django

Python

Abstract

以使用者輸入建構 FileResponse 實例讓攻擊者能夠下載受保護目錄內的應用程式二位元程式碼，或是檢視其中的任何檔案。

Explanation

以下狀況都會導致檔案洩漏：
1. 資料從一個不可信賴的來源進入程式。

2. 此資料將用於動態地建構路徑。

範例 1：以下程式碼採用不可信賴的資料，並使用該資料來開啟檔案，該檔案隨後會回傳給使用者。


from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...

如果攻擊者所提供 URL 的要求參數符合敏感檔案位置，他們也會能夠檢視該檔案。例如，"http://www.yourcorp.com/webApp/logic?returnURL=settings.py" 可讓他們檢視應用程式的 "settings.py"。

References

[1] Standards Mapping - CIS Azure Kubernetes Service Benchmark 4.0

[2] Standards Mapping - CIS Microsoft Azure Foundations Benchmark complete

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.1

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark partial

[7] Standards Mapping - Common Weakness Enumeration CWE ID 552

[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation

[12] Standards Mapping - OWASP Top 10 2004 A1 Unvalidated Input

[13] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[14] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[15] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[16] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[18] Standards Mapping - OWASP API 2023 API1 Broken Object Level Authorization

[19] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.12.1 Secure File Upload Architectural Requirements (L2 L3), 12.5.1 File Download Requirements (L1 L2 L3)

[20] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.1

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 073

[33] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I

[34] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I

[35] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I

[47] Standards Mapping - Web Application Security Consortium Version 2.00 URL Redirector Abuse (WASC-38)

desc.dataflow.python.file_disclosure_django

Dockerfile Misconfiguration: Privileged Port

Docker

Abstract

Dockerfile 會開啟 1024 以下的容器連接埠。

Explanation

依據預設，Docker 會允許將具有特權的連接埠繫結至容器，並且如果使用者未宣告連接埠，則 Docker 會將容器連接埠對應至 49153-65535 範圍內的可用連接埠。在許多情況下，需要開啟某些連接埠才能執行服務，並且隨著時間的流逝，開啟的連接埠數量可能會越來越多。開啟的連接埠會增加攻擊面，對於以更高特權執行的服務更是如此。請確保僅開啟該特定服務所需的連接埠。當服務不需要更高的特權時，請在具有特權的連接埠範圍之外的連接埠上執行服務。

References

[1] Docker EXPOSE instruction

[2] Docker Networking User Guide

[3] Standards Mapping - CIS Azure Kubernetes Service Benchmark 1.0

[4] Standards Mapping - CIS Microsoft Azure Foundations Benchmark partial

[5] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 4.0

[6] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[7] Standards Mapping - CIS Google Kubernetes Engine Benchmark normal

[8] Standards Mapping - CIS Kubernetes Benchmark partial

[9] Standards Mapping - Common Weakness Enumeration CWE ID 20

[10] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[11] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[12] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[13] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[14] Standards Mapping - Common Weakness Enumeration Top 25 2023 [6] CWE ID 020

[15] Standards Mapping - FIPS200 CM

[16] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[17] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[18] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[19] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[24] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[25] Standards Mapping - OWASP Mobile 2023 M2 Inadequate Supply Chain Security

[26] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[32] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[35] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[36] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[37] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.configuration.docker.dockerfile_misconfiguration_privileged_port

AWS Ansible Misconfiguration: Improper ECR Access Control

YAML

Abstract

組態未套用適當的存取控制。

Explanation

無所克制的關鍵或敏感資源存取權，可能會以各種方式對組織產生重大影響，包括洩露或篡改關鍵資料。

References

[1] Open Web Application Security Project (OWASP) Authorization Cheat Sheet

[2] Standards Mapping - CIS Azure Kubernetes Service Benchmark 2.0

[3] Standards Mapping - CIS Amazon Elastic Kubernetes Service Benchmark 2.0

[4] Standards Mapping - CIS Amazon Web Services Foundations Benchmark 1

[5] Standards Mapping - CIS Google Kubernetes Engine Benchmark confidentiality

[6] Standards Mapping - CIS Kubernetes Benchmark complete

[7] Standards Mapping - Common Weakness Enumeration CWE ID 284

[8] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[9] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[10] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[12] Standards Mapping - FIPS200 AC

[13] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-6 Least Privilege (P1)

[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-6 Least Privilege

[16] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[17] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[18] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[19] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[20] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[21] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[22] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[23] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[35] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[36] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[37] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001410 CAT II

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.misconfiguration_improper_access_control.base

AWS Ansible Misconfiguration: Improper S3 Access Control

YAML